Summary: | <net-misc/freerdp-2.1.0: Multiple vulnerabilities (CVE-2020-{11039,11038,11043,11041,11054,11019,11017,11018,11049,11048,11047,11046,11045,11044,11042,11058,11521,11522,11523,11524,11525,11526}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Mike Gilbert <floppym> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | floppym, sam |
Priority: | Normal | Keywords: | CC-ARCHES |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/FreeRDP/FreeRDP/blob/2.0.0/ChangeLog | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
=net-misc/freerdp-2.1.0
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 716720 |
Description
Mike Gilbert
2020-04-09 16:55:58 UTC
The CVE details don't seem to be out yet. All of the public "other" issues are OOB reads, so we'll call it B3 for now. I'll keep an eye on the CVEs and update this when the issues themselves get disclosed, but it won't stop us proceeding. @maintainer(s), given an rc is already stable, are we ok to stabilise now? > @maintainer(s), given an rc is already stable, are we ok to stabilise now?
That rc is very old. I want to give this a week in ~arch before stabilizing.
(In reply to Mike Gilbert from comment #2) > > @maintainer(s), given an rc is already stable, are we ok to stabilise now? > > That rc is very old. I want to give this a week in ~arch before stabilizing. Sorry, I assumed based on the rc -- given the large delta, I think this was fair enough. Ready now? Can't see any bugs filed. CVE-2019-17177 (https://nvd.nist.gov/vuln/detail/CVE-2019-17177): libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0.0-rc4 has memory leaks because a supplied realloc pointer (i.e., the first argument to realloc) is also used for a realloc return value. amd64 stable arm stable ppc stable x86 stable ppc64 stable arm64 stable: https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/freerdp?id=7077847132f532e79b31274abde94bfd5e78e2ec ---- @maintainer(s), please cleanup @maintainer(s), please bump to 2.1.0 (https://www.freerdp.com/2020/05/08/2_1_0-released). See: https://github.com/FreeRDP/FreeRDP/security/advisories @maintainer(s), please advise if ready for stabilisation, or call yourself. ppc/ppc64 stable [Note: This should have been a separate bug but we're here now.] arm stable amd64 stable x86 stable arm64 stable. @maintainer(s), please cleanup This issue was resolved and addressed in GLSA 202005-07 at https://security.gentoo.org/glsa/202005-07 by GLSA coordinator Thomas Deutschmann (whissi). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9eabba5ea46d68ed4e5f5f59b6ea60a4330fc4 commit 2a9eabba5ea46d68ed4e5f5f59b6ea60a4330fc4 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-05-14 22:14:46 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-05-14 22:15:19 +0000 net-misc/freerdp: security cleanup Bug: https://bugs.gentoo.org/716830 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/freerdp/Manifest | 1 - net-misc/freerdp/files/2.0.0-backports.patch | 94 -------------------- net-misc/freerdp/freerdp-2.0.0-r1.ebuild | 123 --------------------------- net-misc/freerdp/metadata.xml | 1 - 4 files changed, 219 deletions(-) |