Bug#1069752: marked as done (freerdp3: CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 01 May 2024 21:19:22 +0000
with message-id <E1s2HMI-00GCcf-6G@fasolo.debian.org>
and subject line Bug#1069752: fixed in freerdp3 3.5.1+dfsg1-3
has caused the Debian Bug report #1069752,
regarding freerdp3: CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1069752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069752
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: freerdp3: CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 24 Apr 2024 09:25:49 +0200
• Message-id: <171394354989.10791.6111177570847336207.reportbug@eldamar.lan>

Source: freerdp3
Version: 3.5.0+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for freerdp3.

CVE-2024-32658[0]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients prior to version 3.5.1 are vulnerable to out-
| of-bounds read. Version 3.5.1 contains a patch for the issue. No
| known workarounds are available.


CVE-2024-32659[1]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients prior to version 3.5.1 are vulnerable to out-
| of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version
| 3.5.1 contains a patch for the issue. No known workarounds are
| available.


CVE-2024-32660[2]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| Prior to version 3.5.1, a malicious server can crash the FreeRDP
| client by sending invalid huge allocation size. Version 3.5.1
| contains a patch for the issue. No known workarounds are available.


CVE-2024-32661[3]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients prior to version 3.5.1 are vulnerable to a
| possible `NULL` access and crash. Version 3.5.1 contains a patch for
| the issue. No known workarounds are available.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-32658
    https://www.cve.org/CVERecord?id=CVE-2024-32658
[1] https://security-tracker.debian.org/tracker/CVE-2024-32659
    https://www.cve.org/CVERecord?id=CVE-2024-32659
[2] https://security-tracker.debian.org/tracker/CVE-2024-32660
    https://www.cve.org/CVERecord?id=CVE-2024-32660
[3] https://security-tracker.debian.org/tracker/CVE-2024-32661
    https://www.cve.org/CVERecord?id=CVE-2024-32661

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1069752-close@bugs.debian.org
• Subject: Bug#1069752: fixed in freerdp3 3.5.1+dfsg1-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 01 May 2024 21:19:22 +0000
• Message-id: <E1s2HMI-00GCcf-6G@fasolo.debian.org>
• Reply-to: Jeremy Bícha <jbicha@ubuntu.com>

Source: freerdp3
Source-Version: 3.5.1+dfsg1-3
Done: Jeremy Bícha <jbicha@ubuntu.com>

We believe that the bug you reported is fixed in the latest version of
freerdp3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069752@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bícha <jbicha@ubuntu.com> (supplier of updated freerdp3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 01 May 2024 16:32:21 -0400
Source: freerdp3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.5.1+dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Jeremy Bícha <jbicha@ubuntu.com>
Closes: 1069752
Changes:
 freerdp3 (3.5.1+dfsg1-3) unstable; urgency=high
 .
   [ Bernhard Miklautz ]
   * Performance improvements
     - Set -DNDEBUG (automatically set for Release but not for RelWithDebInfo)
     - Set -DWITH_VERBOSE_WINPR_ASSERT=OFF
 .
   [ Nathan Pratta Teodosio ]
   * Add autopkgtest
 .
   [ Jeremy Bícha ]
   * debian/*.symbols: Add new symbols
   * Release to unstable
 .
 freerdp3 (3.5.1+dfsg1-2) experimental; urgency=medium
 .
   * Enable proxy support
   * Enable the SDL client
 .
 freerdp3 (3.5.1+dfsg1-1) unstable; urgency=high
 .
   [ Jeremy Bícha ]
   * New upstream release (Closes: #1069752)
     - CVE-2024-32658 [Low] ExtractRunLengthRegular* out of bound read
     - CVE-2024-32659 [Low] freerdp_image_copy out of bound read
     - CVE-2024-32660 [Low] zgfx_decompress out of memory
     - CVE-2024-32661 [Low] rdp_write_logon_info_v1 NULL access
     - CVE-2024-32662 [Low] rdp_redirection_read_base64_wchar out of bound read
   * Fix typo in enabling smartcard emulation
   * Update symbols files
   * Set symbols check level to 4
 .
   [ Bernhard Miklautz ]
   * Update symbol files
   * debian/[control|rules]: enable WEBP, JPEG and PNG support for clipboard
   * debian/copyright[.in]: update copyright files
   * debian/control: update pkg-config binary package name
Checksums-Sha1:
 b0a0cd8f5c23c8ff133527fe748ae4f8f92cab1b 3886 freerdp3_3.5.1+dfsg1-3.dsc
 444c6f3f4371233d44880b3811724dfb8ee9eb48 45916 freerdp3_3.5.1+dfsg1-3.debian.tar.xz
 37ef30d009027373af9cdc0be346d27c21355246 11341 freerdp3_3.5.1+dfsg1-3_source.buildinfo
Checksums-Sha256:
 d5f8764783048acb49d9f7ad36f391d67b4d2b34c676b10cfac9c6e3432dc951 3886 freerdp3_3.5.1+dfsg1-3.dsc
 a0b555fe774994ad3d7820d864512286ae7c8efdd38629ca66bfee17b4655230 45916 freerdp3_3.5.1+dfsg1-3.debian.tar.xz
 e2bdb3d641a442a2e90bf5e746061c4143aa9271017591fd4eab9657e3a33d6f 11341 freerdp3_3.5.1+dfsg1-3_source.buildinfo
Files:
 5d60afe599024cfc72a59709317970ae 3886 x11 optional freerdp3_3.5.1+dfsg1-3.dsc
 8b8e601bd4370268f74c9c96cf579d48 45916 x11 optional freerdp3_3.5.1+dfsg1-3.debian.tar.xz
 11f77c6801177147527a6eaef699dc2e 11341 x11 optional freerdp3_3.5.1+dfsg1-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmYyrxAACgkQ5mx3Wuv+
bH2wjA//cCLf3z5grMqtIPr9aC/Xc2NJzK2weGO6KcQKhUqyxTTKuyJ0y9dOPIIs
27KatxeLQ+RxBBTK1CsqoJtERsz8TnaMf5kHvUOtPRqwAEJLXS2KAhWDtCyOpKrJ
BglVvIO10mu3PzyNH6rqRfdGt9kWwaNa1MamsqneVmA1LNIu/ETynmOBithmITTv
u6fbBu6sqmzJ+Oj/IMBWn7uiNIzf1gfzEQzD8nibAoGINF2+3Bjp5o5/Hgf1ovz8
abjYnu6nM+2cBbSY/NYx0Qa8VKTH28uUMBVkieCJgDHUKFiqp6Zmc+v4nuh6Etjh
GwtZ33kuym76wihXKWyzpBPiYZXVqzvC8O2xAP3uFTEIe+1uL7G5DEkpRlbz6bGY
0zBeNKzPzjaLCQfujdHsmYE0YO8393ADPJFuok6Dv0OpvjulSdii9lDswwIU1Z4m
NFnrq3KDfTANEyHk6zTRtP5b9H4d7NNgx651gumCRCtRrpKRuGn76j1bVqhDJIy6
+kKK/japh3lJcSubwMbTCZZw0GNeMvHtErKTzA6akX928VqSXCTwrX6QsTA0QSgq
10+/H7tt/sDUCrSPeA8OfJd6YZVbmIFeNBaqx/2H2XQHfvHSPHMP5i8FeqQJsxQv
7ARteoQkScLoUsCRZlRPAS7z52SN0G/gk9ee2y+i5qitUqNMyMw=
=k/am
-----END PGP SIGNATURE-----

Attachment: pgpWJ26FbUwvX.pgp
Description: PGP signature

--- End Message ---