Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 716830 (CVE-2020-11017, CVE-2020-11018, CVE-2020-11019, CVE-2020-11038, CVE-2020-11039, CVE-2020-11040, CVE-2020-11041, CVE-2020-11042, CVE-2020-11043, CVE-2020-11044, CVE-2020-11045, CVE-2020-11046, CVE-2020-11047, CVE-2020-11048, CVE-2020-11049, CVE-2020-11058, CVE-2020-11521, CVE-2020-11522, CVE-2020-11523, CVE-2020-11524, CVE-2020-11525, CVE-2020-11526)

Summary: <net-misc/freerdp-2.1.0: Multiple vulnerabilities (CVE-2020-{11039,11038,11043,11041,11054,11019,11017,11018,11049,11048,11047,11046,11045,11044,11042,11058,11521,11522,11523,11524,11525,11526})
Product: Gentoo Security Reporter: Mike Gilbert <floppym>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: floppym, sam
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://github.com/FreeRDP/FreeRDP/blob/2.0.0/ChangeLog
Whiteboard: B3 [glsa+ cve]
Package list:
=net-misc/freerdp-2.1.0
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 716720    

Description Mike Gilbert gentoo-dev 2020-04-09 16:55:58 UTC
# 2020-04-09  Version 2.0.0

Important notes:

* fix multiple CVEs: CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11524 CVE-2020-11525 CVE-2020-11526
* fix multiple other security related issues (#6005, #6006, #6007, #6008, #6009, #6010, #6011, #6012, #6013)
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-09 17:00:48 UTC
The CVE details don't seem to be out yet.  All of the public "other" issues are OOB reads, so we'll call it B3 for now. 

I'll keep an eye on the CVEs and update this when the issues themselves get disclosed, but it won't stop us proceeding.

@maintainer(s), given an rc is already stable, are we ok to stabilise now?
Comment 2 Mike Gilbert gentoo-dev 2020-04-09 17:08:07 UTC
> @maintainer(s), given an rc is already stable, are we ok to stabilise now?

That rc is very old. I want to give this a week in ~arch before stabilizing.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 19:28:40 UTC
(In reply to Mike Gilbert from comment #2)
> > @maintainer(s), given an rc is already stable, are we ok to stabilise now?
> 
> That rc is very old. I want to give this a week in ~arch before stabilizing.

Sorry, I assumed based on the rc -- given the large delta, I think this was fair enough.

Ready now? Can't see any bugs filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 23:51:14 UTC
CVE-2019-17177 (https://nvd.nist.gov/vuln/detail/CVE-2019-17177):
  libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0.0-rc4
  has memory leaks because a supplied realloc pointer (i.e., the first
  argument to realloc) is also used for a realloc return value.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 14:05:08 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-23 06:22:43 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-23 06:24:54 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-23 06:30:37 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-04-24 06:48:40 UTC
ppc64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-28 04:22:50 UTC
arm64 stable: https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/freerdp?id=7077847132f532e79b31274abde94bfd5e78e2ec

----
@maintainer(s), please cleanup
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-09 01:12:27 UTC
@maintainer(s), please bump to 2.1.0 (https://www.freerdp.com/2020/05/08/2_1_0-released).

See: https://github.com/FreeRDP/FreeRDP/security/advisories
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-09 05:07:51 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself.
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2020-05-09 23:20:01 UTC
ppc/ppc64 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-10 11:34:07 UTC
[Note: This should have been a separate bug but we're here now.]
Comment 15 Agostino Sarubbo gentoo-dev 2020-05-11 11:40:45 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-05-11 16:45:21 UTC
amd64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2020-05-12 06:39:29 UTC
x86 stable
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-12 16:10:55 UTC
arm64 stable.

@maintainer(s), please cleanup
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2020-05-14 22:12:41 UTC
This issue was resolved and addressed in
 GLSA 202005-07 at https://security.gentoo.org/glsa/202005-07
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 20 Larry the Git Cow gentoo-dev 2020-05-14 22:15:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9eabba5ea46d68ed4e5f5f59b6ea60a4330fc4

commit 2a9eabba5ea46d68ed4e5f5f59b6ea60a4330fc4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-05-14 22:14:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-14 22:15:19 +0000

    net-misc/freerdp: security cleanup
    
    Bug: https://bugs.gentoo.org/716830
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/freerdp/Manifest                    |   1 -
 net-misc/freerdp/files/2.0.0-backports.patch |  94 --------------------
 net-misc/freerdp/freerdp-2.0.0-r1.ebuild     | 123 ---------------------------
 net-misc/freerdp/metadata.xml                |   1 -
 4 files changed, 219 deletions(-)