Hi Moritz, On Mo 10 Dez 2018 22:30:34 CET, Moritz Mühlenhoff wrote:
On Mon, Dec 10, 2018 at 05:44:51PM +0000, Mike Gabriel wrote:Hi, I'd like to discuss the possible pathways for getting FreeRDP fixed in Debian jessie LTS (and Debian stretch, too).debian-security@ldo is not the proper contact address, I've fixed the recipient list.
Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam maintainers and the actual packager of FreeRDPv2 in Debian). 1. Looking at fixing FreeRDP v1.1 in jessie / stretch ----------------------------------------------------- He sketched up the following pathway for getting freerdp (v1.1) fixed in Debian jessie (and stretch):What is the impact/scope of the individual issues? The individual commit messages are quite scarce. Are these exploitable by the server or a connecting client or vice versa?
First of all, FreeRDP in jessie/stretch never built the FreeRDP Server code as it was to immature at that time.
So, let's assume that FreeRDP in jessie/stretch only acts as a client against a malign server.
* CVE-2018-8786: client affected, if a malign server sends over a malign bitmap
* CVE-2018-8789: unclear to me, issue in WinPR (which is the FreeRDP toolbox, sloppily spoken, immitating
Windows API)* CVE-2018-8787: client affected, if a malign server sends over a malign bitmap * CVE-2018-8788: client affected, if a malign server uses NScoded and sends over a malign bitmap
From my understanding the potential remote code executions that are mentioned in the CVE descriptions are triggered by a malign server and the code executions then happen on the client side.
I have Cc:ed Bernhard so that he can negate or confirm my above estimations (as I am not an expert for FreeRDP upstream code).
Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: email@example.com, http://das-netzwerkteam.de
Description: Digitale PGP-Signatur