Comment 1 Sam James 2020-04-09 17:00:48 UTC

The CVE details don't seem to be out yet.  All of the public "other" issues are OOB reads, so we'll call it B3 for now. 

I'll keep an eye on the CVEs and update this when the issues themselves get disclosed, but it won't stop us proceeding.

@maintainer(s), given an rc is already stable, are we ok to stabilise now?

Comment 2 Mike Gilbert 2020-04-09 17:08:07 UTC

> @maintainer(s), given an rc is already stable, are we ok to stabilise now?

That rc is very old. I want to give this a week in ~arch before stabilizing.

Comment 3 Sam James 2020-04-16 19:28:40 UTC

(In reply to Mike Gilbert from comment #2)
> > @maintainer(s), given an rc is already stable, are we ok to stabilise now?
> 
> That rc is very old. I want to give this a week in ~arch before stabilizing.

Sorry, I assumed based on the rc -- given the large delta, I think this was fair enough.

Ready now? Can't see any bugs filed.

Comment 4 GLSAMaker/CVETool Bot 2020-04-17 23:51:14 UTC

CVE-2019-17177 (https://nvd.nist.gov/vuln/detail/CVE-2019-17177):
  libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0.0-rc4
  has memory leaks because a supplied realloc pointer (i.e., the first
  argument to realloc) is also used for a realloc return value.

Comment 5 Mikle Kolyada (RETIRED) 2020-04-22 14:05:08 UTC

amd64 stable

Comment 6 Agostino Sarubbo 2020-04-23 06:22:43 UTC

arm stable

Comment 7 Agostino Sarubbo 2020-04-23 06:24:54 UTC

ppc stable

Comment 8 Agostino Sarubbo 2020-04-23 06:30:37 UTC

x86 stable

Comment 9 Agostino Sarubbo 2020-04-24 06:48:40 UTC

ppc64 stable

Comment 10 Sam James 2020-04-28 04:22:50 UTC

arm64 stable: https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/freerdp?id=7077847132f532e79b31274abde94bfd5e78e2ec

----
@maintainer(s), please cleanup

Comment 11 Sam James 2020-05-09 01:12:27 UTC

@maintainer(s), please bump to 2.1.0 (https://www.freerdp.com/2020/05/08/2_1_0-released).

See: https://github.com/FreeRDP/FreeRDP/security/advisories

Comment 12 Sam James 2020-05-09 05:07:51 UTC

@maintainer(s), please advise if ready for stabilisation, or call yourself.

Comment 13 Sergei Trofimovich (RETIRED) 2020-05-09 23:20:01 UTC

ppc/ppc64 stable

Comment 14 Sam James 2020-05-10 11:34:07 UTC

[Note: This should have been a separate bug but we're here now.]

Comment 15 Agostino Sarubbo 2020-05-11 11:40:45 UTC

arm stable

Comment 16 Agostino Sarubbo 2020-05-11 16:45:21 UTC

amd64 stable

Comment 17 Agostino Sarubbo 2020-05-12 06:39:29 UTC

x86 stable

Comment 18 Sam James 2020-05-12 16:10:55 UTC

arm64 stable.

@maintainer(s), please cleanup

Comment 19 GLSAMaker/CVETool Bot 2020-05-14 22:12:41 UTC

This issue was resolved and addressed in
 GLSA 202005-07 at https://security.gentoo.org/glsa/202005-07
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 20 Larry the Git Cow 2020-05-14 22:15:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9eabba5ea46d68ed4e5f5f59b6ea60a4330fc4

commit 2a9eabba5ea46d68ed4e5f5f59b6ea60a4330fc4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-05-14 22:14:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-14 22:15:19 +0000

    net-misc/freerdp: security cleanup
    
    Bug: https://bugs.gentoo.org/716830
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-misc/freerdp/Manifest                    |   1 -
 net-misc/freerdp/files/2.0.0-backports.patch |  94 --------------------
 net-misc/freerdp/freerdp-2.0.0-r1.ebuild     | 123 ---------------------------
 net-misc/freerdp/metadata.xml                |   1 -
 4 files changed, 219 deletions(-)