Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Gah. Forgot to fix the CC here as well, sorry for the noise.
On 2018-12-11 10:05:53, Antoine Beaupré wrote:
> On 2018-12-10 17:44:51, Mike Gabriel wrote:
>> I'd like to discuss the possible pathways for getting FreeRDP fixed in
>> Debian jessie LTS (and Debian stretch, too).
>> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam
>> maintainers and the actual packager of FreeRDPv2 in Debian).
>> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch
>> He sketched up the following pathway for getting freerdp (v1.1) fixed
>> in Debian jessie (and stretch):
>> * Backport https://github.com/FreeRDP/FreeRDP/pull/4499
>> -> required for FreeRDP in jessie/stretch to be able to connect
>> to current RDP servers
>> (not a security issue, but a functionality issue due to
>> Microsoft updates rolled out
>> during Q1 / 2018).
>> -> estimated effort: 1-2h
>> * CVE-2018-8785: not needed for jessie / stretch (code not present)
>> * CVE-2018-8786,
>> CVE-2018-8789: estimated hours for all three: 1-2h
>> * CVE-2018-8787: estimated hours: 1-2h
>> * CVE-2018-8788: can be become quite an effort, estimated time: 2h++
>> * CVE-2018-8784: not needed for jessie / stretch (code not present)
>> While this sounds nice and feasible the underlying tone of investing
>> so much work into FreeRDP v1.1 was a different one.
>> E.g. the fix for CVE-2018-8789 should be quick and simple. But the
>> surrounding code is buggy to a great extent, too.
>> There have been so many stabilizing code fixes over the past 1-2 years.
>> 2. Backporting FreeRDP v2 from buster to jessie and stretch
>> Another approach, with a more stable and usable result is backporting
>> FreeRDP v2 to jessie and stretch right away.
>> Most people (I hope) are using freerdp2-x11 from stretch-backports
>> (plus remmina from stretch-bpo) on Debian stable these days (freerdp
>> 1.1 in stretch is broken with Windows RDP servers that are up-to-date
>> with their patch levels).
>> Reverse Depends: freerdp-x11 (>= 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>> Reverse Depends: libfreerdp-dbg (=
>> Reverse Depends: libfreerdp-dev (=
>> Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2)
>> Reverse Depends: libxfreerdp-client1.1 (>=
>> Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2)
>> Reverse Depends: vlc (>= 2.2.7-1~deb8u1)
>> Reverse Depends: freerdp-x11-dbg (=
>> Reverse Depends: ltsp-client (5.5.4-4)
>> So the plan could be this:
>> - rebuild freerdp (v1.1) as a shared libs package only, drop
>> freerdp-x11 (which
>> contains the command line tool)
>> - backport freerdp2 from Debian unstable to jessie/stretch
>> - backport remmina from Debian unstable to jessie/stretch
>> - rebuild vlc in jessie (and possibly stretch, too) without RDP support
>> - ltsp-client: adapt command line syntax to new FreeRDP2 cli style
> That sounds like a large change, especially about dropping RDP support
> from VLC... Do we have any idea about how VLC uses RDP and how many of
> our users expect that to work in the first place? How about changes in
>> - libguac-client-rdp0: leave as is... Guacamole upstream still believes in
>> FreeRDP v1.1 shared lib API...
> "Believes"? I don't understand this point...
>> Before going any deeper into this, I'd love to get some feedback from
>> the LTS and the security team about the proposed strategies. Are there
>> other possible pathways to go? If so, please share yours.
>> The FreeRDP v1.1 backporting work (8-10 hours) would have to be
>> outsourced to ThinCast in Austria (where most FreeRDP upstream devs
>> work these days).
> I don't know of any other pathways, but from what I understand we have
> some extra hours to spare, so we could allow ourselves such an expense
> to keep jessie ... "stable". :)
> Dans vos mensonges de pierre
> Vous gaspillez le soleil
> - Gilles Vigneault
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
- Brian W. Kernighan