Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: debian-lts@lists.debian.org, team@security.debian.org, bernhard.miklautz@shacknet.at
Subject: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 11 Dec 2018 16:42:17 +0000
Message-id: <[🔎] 20181211164217.Horde.BMLtplE-WKNzTGYlqc4eve4@mail.das-netzwerkteam.de>
In-reply-to: <[🔎] 20181210213034.GB15274@pisco.westfalen.local>
References: <[🔎] 20181210174451.Horde.B1NfVFfMb9XLz02NBYRJxA5@mail.das-netzwerkteam.de> <[🔎] 20181210213034.GB15274@pisco.westfalen.local>

Hi Moritz,

On  Mo 10 Dez 2018 22:30:34 CET, Moritz Mühlenhoff wrote:

On Mon, Dec 10, 2018 at 05:44:51PM +0000, Mike Gabriel wrote:

Hi,

I'd like to discuss the possible pathways for getting FreeRDP fixed in
Debian jessie LTS (and Debian stretch, too).


debian-security@ldo is not the proper contact address, I've fixed
the recipient list.


Ok. Thanks.

Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam
maintainers and the actual packager of FreeRDPv2 in Debian).

1. Looking at fixing FreeRDP v1.1 in jessie / stretch
-----------------------------------------------------

He sketched up the following pathway for getting freerdp (v1.1) fixed in
Debian jessie (and stretch):


What is the impact/scope of the individual issues? The individual commit
messages are quite scarce. Are these exploitable by the server or
a connecting client or vice versa?

First of all, FreeRDP in jessie/stretch never built the FreeRDP Servercode as it was to immature at that time.

So, let's assume that FreeRDP in jessie/stretch only acts as a clientagainst a malign server.

* CVE-2018-8786: client affected, if a malign server sends over amalign bitmap

* CVE-2018-8789: unclear to me, issue in WinPR (which is theFreeRDP toolbox, sloppily spoken, immitating

    Windows API)

* CVE-2018-8787: client affected, if a malign server sends over amalign bitmap* CVE-2018-8788: client affected, if a malign server uses NScodedand sends over a malign bitmap

From my understanding the potential remote code executions that arementioned in the CVE descriptions are triggered by a malign server andthe code executions then happen on the client side.

I have Cc:ed Bernhard so that he can negate or confirm my aboveestimations (as I am not an expert for FreeRDP upstream code).


Thanks+Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpMUB4We_4XZ.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: automating process for publishing DLAs on the website
Next by Date: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Previous by thread: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Next by thread: Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Index(es):
- Date
- Thread