I'm happy to announce a new release of rdesktop, version 1.7.0. This fixes
some important bugs and is therefore recommended for all users.
* Security: Directory traversal vulnerability with disk redirection (disallow /.. requests)
<-- snip -->
The upstream fix looks to be at: http://rdesktop.svn.sourceforge.net/viewvc/rdesktop?view=revision&revision=1626
rdesktop-1.7.0 is in tree now and seems to be working fine so far (this is mostly a bugfix release anyway). It looks like the RH bug is not publicly accessible, but stabling this new version looks like a good idea
Current stable KEYWORDS: alpha amd64 hppa ia64 ppc ppc64 sparc x86
(In reply to comment #1)
> rdesktop-1.7.0 is in tree now and seems to be working fine so far (this is
> mostly a bugfix release anyway). It looks like the RH bug is not publicly
> accessible, but stabling this new version looks like a good idea
Great, thank you.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
CVE-2011-1595 Has been assigned
Stable for HPPA.
x86 already stable for two days...done by tomka.
Marked ppc stable.
amd64 done. Thanks Agostino
ppc64 stable, last arch done
Vulnerable version removed from tree
Thanks, folks. GLSA request filed.
Directory traversal vulnerability in the disk_create function in disk.c in
rdesktop before 1.7.0, when disk redirection is enabled, allows remote RDP
servers to read or overwrite arbitrary files via a .. (dot dot) in a
This issue was resolved and addressed in
GLSA 201210-03 at http://security.gentoo.org/glsa/glsa-201210-03.xml
by GLSA coordinator Stefan Behte (craig).