Bug#1069752: marked as done (freerdp3: CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 29 Apr 2024 19:05:47 +0000
with message-id <E1s1WJv-005dF5-HQ@fasolo.debian.org>
and subject line Bug#1069752: fixed in freerdp3 3.5.1+dfsg1-1
has caused the Debian Bug report #1069752,
regarding freerdp3: CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1069752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069752
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: freerdp3: CVE-2024-32658 CVE-2024-32659 CVE-2024-32660 CVE-2024-32661
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 24 Apr 2024 09:25:49 +0200
• Message-id: <[🔎] 171394354989.10791.6111177570847336207.reportbug@eldamar.lan>

Source: freerdp3
Version: 3.5.0+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for freerdp3.

CVE-2024-32658[0]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients prior to version 3.5.1 are vulnerable to out-
| of-bounds read. Version 3.5.1 contains a patch for the issue. No
| known workarounds are available.


CVE-2024-32659[1]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients prior to version 3.5.1 are vulnerable to out-
| of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version
| 3.5.1 contains a patch for the issue. No known workarounds are
| available.


CVE-2024-32660[2]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| Prior to version 3.5.1, a malicious server can crash the FreeRDP
| client by sending invalid huge allocation size. Version 3.5.1
| contains a patch for the issue. No known workarounds are available.


CVE-2024-32661[3]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients prior to version 3.5.1 are vulnerable to a
| possible `NULL` access and crash. Version 3.5.1 contains a patch for
| the issue. No known workarounds are available.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-32658
    https://www.cve.org/CVERecord?id=CVE-2024-32658
[1] https://security-tracker.debian.org/tracker/CVE-2024-32659
    https://www.cve.org/CVERecord?id=CVE-2024-32659
[2] https://security-tracker.debian.org/tracker/CVE-2024-32660
    https://www.cve.org/CVERecord?id=CVE-2024-32660
[3] https://security-tracker.debian.org/tracker/CVE-2024-32661
    https://www.cve.org/CVERecord?id=CVE-2024-32661

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1069752-close@bugs.debian.org
• Subject: Bug#1069752: fixed in freerdp3 3.5.1+dfsg1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Mon, 29 Apr 2024 19:05:47 +0000
• Message-id: <E1s1WJv-005dF5-HQ@fasolo.debian.org>
• Reply-to: Jeremy Bícha <jbicha@ubuntu.com>

Source: freerdp3
Source-Version: 3.5.1+dfsg1-1
Done: Jeremy Bícha <jbicha@ubuntu.com>

We believe that the bug you reported is fixed in the latest version of
freerdp3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1069752@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bícha <jbicha@ubuntu.com> (supplier of updated freerdp3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Apr 2024 14:50:09 -0400
Source: freerdp3
Built-For-Profiles: noudeb
Architecture: source
Version: 3.5.1+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Jeremy Bícha <jbicha@ubuntu.com>
Closes: 1069752
Changes:
 freerdp3 (3.5.1+dfsg1-1) unstable; urgency=high
 .
   [ Jeremy Bícha ]
   * New upstream release (Closes: #1069752)
     - CVE-2024-32658
     - CVE-2024-32659
     - CVE-2024-32660
     - CVE-2024-32661
     - CVE-2024-32662
   * Fix typo in enabling smartcard emulation
   * Update symbols files
   * Set symbols check level to 4
 .
   [ Bernhard Miklautz ]
   * Update symbol files
   * debian/[control|rules]: enable WEBP, JPEG and PNG support for clipboard
   * debian/copyright[.in]: update copyright files
   * debian/control: update pkg-config binary package name
Checksums-Sha1:
 f8f84cb5ce0e81f4b3318031931eebf6237e7ac3 3507 freerdp3_3.5.1+dfsg1-1.dsc
 5b3ddd6bb82c3242c06a5e7929c19673025c685e 3688232 freerdp3_3.5.1+dfsg1.orig.tar.xz
 0d012c367669252ba35162986ce65d864e3e8fe7 44888 freerdp3_3.5.1+dfsg1-1.debian.tar.xz
 b15335586d32e50febcaf0c9a47ae2a7d73f7d38 11333 freerdp3_3.5.1+dfsg1-1_source.buildinfo
Checksums-Sha256:
 35d059760951b52cab8e341ce5bb3617ddf96a043ec4c76cefe3d48b8c888dbd 3507 freerdp3_3.5.1+dfsg1-1.dsc
 e4e4c9ac2c464b07873781acc57ad6efcf469c93a1bf11da1204d9dd89cc0e14 3688232 freerdp3_3.5.1+dfsg1.orig.tar.xz
 62c501bcae84279052470423f553a210da298e4148acab38a2596fdc2d67a85f 44888 freerdp3_3.5.1+dfsg1-1.debian.tar.xz
 b1598eb7e85776db1ee73895a1a2a8b68573cb0a2bebb764de79dbcf6268c7a2 11333 freerdp3_3.5.1+dfsg1-1_source.buildinfo
Files:
 a09dfdb641311c32790923377be8ff74 3507 x11 optional freerdp3_3.5.1+dfsg1-1.dsc
 89cfe9641bd1060d6e66584bedc89099 3688232 x11 optional freerdp3_3.5.1+dfsg1.orig.tar.xz
 2cf68b7d867eac0d37212b2dacc86097 44888 x11 optional freerdp3_3.5.1+dfsg1-1.debian.tar.xz
 a838da1554370a512512e51f8d9436bc 11333 x11 optional freerdp3_3.5.1+dfsg1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmYv7IoACgkQ5mx3Wuv+
bH0L8Q//Slbm132G47JJ+J7f9cOx3PcVK6V4OTNuXO9scOAhWgsF57SuopwU5T3P
de+x/CkF9HK5F/Nc/4zSfpqF0bLZWoJl1P8D2v0uxHizYCq8a7h2z974AU46kfp+
detkPc9h3RyclIEsXzoFEEJeX/5R+B0k4aYvVz1MFsjFDcL0a2EpO44VTWwwmdi5
re8niPnyJX0yI69mrCPWKUL34rf/6xIhmq2I1H8d+hIbzzZGEYlPHz9/HfMEXw0h
Bw1vE8Dc1gHmTWXUF5fbabpWBkO3Yn2E2GS03zln9PUv/9jxHSk5og6OgA9U6jnd
xUJjYK+kp6+NurxPKPtxvuA6f4ACrKsAi0UopEqjFZlR1hYu4eJzKOiVk5cL1H1P
xEEnv3WWJfkGj2O8hsiEwVyLbq09I6h1OKJA9DET/LdQL4IBKnus4Vfcs/IBef4Z
a+s/K1lzAZMln31rzn2UZzqn4Cc7F0JoWRLwO8C1L+ORlKUDCqG8f4F50qBHziOy
9iG3rpHFDSXtJ2LbgqLG3kSVGDPh19/QxlEPB86pmsWM5H89t37EOuHxoBQeJxq9
MSmvD/tvN3tUAqbzmVn7nR6CI7u8Y/b1ONcr24hd4DUCsuwNqxNApsqz6ggfmQza
8LRjxPDNig39kdgp7UM5ugbJJzbQIlql8PTl1z5TS00Z7xPUJpM=
=WZtV
-----END PGP SIGNATURE-----

Attachment: pgpG45exENtDd.pgp
Description: PGP signature

--- End Message ---