Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 881525 (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319, CVE-2022-39320, CVE-2022-39347, CVE-2022-41877)

Summary: <net-misc/freerdp-2.9.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: floppym
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/FreeRDP/FreeRDP/releases/tag/2.9.0
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 881835    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-16 17:07:04 UTC
Release notes say:

"* Backported #8403: Fixed multiple client side input validation issues
  (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319,
         CVE-2022-39320, CVE-2022-41877, CVE-2022-39347)"

TRUE and a FALSE, so I'd be very surprised if this fixes 7 different
CVEs. Nevertheless, please bump to 2.9.0
Comment 1 jospezial 2022-11-17 20:57:37 UTC Comment hidden (obsolete)
Comment 2 Larry the Git Cow gentoo-dev 2022-11-18 20:43:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0f3a6469bc2be992e106945747c997e5819d5f7d

commit 0f3a6469bc2be992e106945747c997e5819d5f7d
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-11-17 21:20:03 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-11-18 20:43:22 +0000

    net-misc/freerdp: add 2.9.0
    
    Bug: https://bugs.gentoo.org/881525
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 net-misc/freerdp/Manifest             |   1 +
 net-misc/freerdp/freerdp-2.9.0.ebuild | 124 ++++++++++++++++++++++++++++++++++
 2 files changed, 125 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 21:19:15 UTC
(In reply to John Helmert III from comment #0)
> Release notes say:
> 
> "* Backported #8403: Fixed multiple client side input validation issues
>   (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319,
>          CVE-2022-39320, CVE-2022-41877, CVE-2022-39347)"
> 
> TRUE and a FALSE, so I'd be very surprised if this fixes 7 different
> CVEs. Nevertheless, please bump to 2.9.0

Hm, my script mangled my comment. I meant to say that the patch (https://github.com/FreeRDP/FreeRDP/pull/8403/files) only flip-flops a TRUE and a FALSE, so I'd be very surprised if this fixes 7 different CVEs.

Anyway, thank you for bumping! Please stabilize when ready. Any idea about the impact?
Comment 4 Mike Gilbert gentoo-dev 2022-11-18 21:30:00 UTC
(In reply to John Helmert III from comment #3)

I think they simply referenced the wrong PR for the CVE fixes. This one appears to be more relevant:

https://github.com/FreeRDP/FreeRDP/pull/8380
Comment 6 Mike Gilbert gentoo-dev 2022-11-19 17:18:00 UTC
The NIST NVD rates these as significantly more severe than the GHSA ratings.
Comment 7 Larry the Git Cow gentoo-dev 2022-12-06 16:48:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=454346cf7827cb35639b0cc80cdb114d2d6755e7

commit 454346cf7827cb35639b0cc80cdb114d2d6755e7
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-12-06 16:47:44 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-12-06 16:47:44 +0000

    net-misc/freerdp: drop 2.8.1
    
    Bug: https://bugs.gentoo.org/881525
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 net-misc/freerdp/Manifest             |   1 -
 net-misc/freerdp/freerdp-2.8.1.ebuild | 127 ----------------------------------
 2 files changed, 128 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:24:26 UTC
Thanks!
Comment 9 Larry the Git Cow gentoo-dev 2024-01-12 11:47:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0bd76dc2009147dbb24e9f25ef0c1928a1d99371

commit 0bd76dc2009147dbb24e9f25ef0c1928a1d99371
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-12 11:46:37 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-12 11:46:59 +0000

    [ GLSA 202401-16 ] FreeRDP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/881525
    Bug: https://bugs.gentoo.org/918546
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-16.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)