Bug 13444

Summary: freerdp new security issues CVE-2014-0250 and CVE-2014-0791
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: dpremy, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/604034/
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK
Source RPM: freerdp-1.0.2-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-05-28 16:21:11 CEST 
A CVE has been assigned for a security issue in freerdp:
http://openwall.com/lists/oss-security/2014/05/28/2

There doesn't appear to be a fix available yet.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-28 16:21:20 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-07-01 18:56:53 CEST 
OpenSuSE has issued an advisory for this today (July 1):
http://lists.opensuse.org/opensuse-updates/2014-07/msg00008.html

This fixes an additional CVE as well, CVE-2014-0791.

URL: (none) => http://lwn.net/Vulnerabilities/604034/
Summary: freerdp new security issue CVE-2014-0250 => freerdp new security issues CVE-2014-0250 and CVE-2014-0791

Comment 2 David Walser 2014-07-01 19:24:54 CEST 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated freerdp packages fix security vulnerabilities:

Integer overflows in memory allocations in client/X11/xf_graphics.c in FreeRDP
through 1.0.2 allows remote RDP servers to have an unspecified impact through
unspecified vectors (CVE-2014-0250).

Integer overflow in the license_read_scope_list function in
libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers
to cause a denial of service (application crash) or possibly have unspecified
other impact via a large ScopeCount value in a Scope List in a Server License
Request packet (CVE-2014-0791).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0250
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0791
http://lists.opensuse.org/opensuse-updates/2014-07/msg00008.html
========================

Updated packages in core/updates_testing:
========================
freerdp-1.0.1-2.1.mga3
libfreerdp1-1.0.1-2.1.mga3
libfreerdp-devel-1.0.1-2.1.mga3
freerdp-1.0.2-2.1.mga4
libfreerdp1-1.0.2-2.1.mga4
libfreerdp-devel-1.0.2-2.1.mga4

from SRPMS:
freerdp-1.0.1-2.1.mga3.src.rpm
freerdp-1.0.2-2.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Remy 2014-07-03 23:03:14 CEST 
Testing on MGA4-86 and MGA4-64 tonight. I can't find a PoC at this time so I will confirm connectivity to a few Windows versions still works.

MGA3 will need to be tested by someone else as I don't have boxes to test on.

CC: (none) => dpremy

Comment 4 David Remy 2014-07-04 02:17:40 CEST 
Tested on MGA4-86 and I still can connect to a variety of remote Windows systems. Used xfreerdp for some time now and can't find anything that doesn't work with this update. Still can't find a PoC so I assume it is resolved.

Whiteboard: MGA3TOO => MGA3TOO mga4-86-ok

Comment 5 David Remy 2014-07-04 02:24:20 CEST 
The procedure to test needs a remote system with RDP enabled. Im my case a Windows client is easiest although my understanding is that VirtualBox can enable remote consoles on VMs which uses RDP as well.

# urpmi freerdp
# xfreerdp -u <remote username> [-d <domain>] <remote IP>

If all goes well you should get a password prompt and then be connected.

Note that if you are connecting to a Windows box which has NLA enabled you must put the IP or computer name as the last argument as of this writting.
https://github.com/FreeRDP/FreeRDP/issues/733

Whiteboard: MGA3TOO mga4-86-ok => MGA3TOO mga4-86-ok has_procedure

Comment 6 David Walser 2014-07-04 02:38:24 CEST 
I assume you meant i586 (aka 32-bit), so fixing the tag.

Whiteboard: MGA3TOO mga4-86-ok has_procedure => MGA3TOO mga4-32-ok has_procedure

Comment 7 David Remy 2014-07-04 03:29:45 CEST 
I sure did, thanks for the catch.

Tested on mga4-64 and it worked as well, adding proper tag.

Whiteboard: MGA3TOO mga4-32-ok has_procedure => MGA3TOO mga4-32-ok mga4-64-ok has_procedure

Comment 8 Marc Lattemann 2014-07-07 20:06:54 CEST 
found no open poc, so testing simply connecting from mga3 VBs to Windows7 VB via xfreerdp for both arch: everything is working fine.

following packages are installed 
[root@localhost marc]# rpm -qa | grep rdp
lib64freerdp1-1.0.1-2.1.mga3
freerdp-1.0.1-2.1.mga3

after the advisory is uploaded, the update can be validated and pushed to updates.

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok has_procedure => MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 9 David Walser 2014-07-07 20:33:38 CEST 
Thanks Marc.  I just used freerdp on Mageia 3 i586 at work to do something on a Windows 7 machine and it worked fine for me too.
Comment 10 claire robinson 2014-07-08 17:17:26 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure advisory MGA4-64-OK MGA3-32-OK MGA3-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 11 Pascal Terjan 2014-07-09 00:41:56 CEST 
http://advisories.mageia.org/MGASA-2014-0287.html

Status: NEW => RESOLVED
CC: (none) => pterjan
Resolution: (none) => FIXED