Bug 24500

Summary: freerdp possible new security issue CVE-2018-1000852
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO
Source RPM: freerdp-2.0.0-0.rc4.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-03-12 22:51:39 CET 
Fedora has issued an advisory on March 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/224N7GISQTWD7COYGTR35MACQJ7NUGJD/

In:
https://bugs.mageia.org/show_bug.cgi?id=24074#c12

I thought we already fixed it in the last update, but Fedora says they needed a post-rc4 update to fix it, so maybe I was wrong.
David Walser 2019-03-12 22:52:10 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2019-03-13 06:07:16 CET 
That I see is that the commit https://github.com/FreeRDP/FreeRDP/commit/205c612820dac644d665b5bb1cdf437dc5ca01e3  fixes this CVE-2018-1000852 and this fix is already included in freerdp-2.0.0-rc4


https://nvd.nist.gov/vuln/detail/CVE-2018-1000852
Comment 2 David Walser 2019-03-13 12:58:18 CET 
Yeah that's what I thought, and I had probably even checked that the first time I looked at it.  I don't understand this:
https://src.fedoraproject.org/cgit/rpms/freerdp.git/commit/?id=ff3abd148b05ea0e2a12ef41e7d4b96c7836f506
Comment 3 David GEIGER 2019-03-13 13:05:08 CET 
I don't understand too! it is unneeded to update to latest git snapshot and maybe a rc5 will come soon as there is a bunch of commits.
Comment 4 David Walser 2019-03-13 13:06:00 CET 
OK, I'll close this bug, but maybe when rc5 comes out we can push it as a bugfix update.

Resolution: (none) => INVALID
Status: NEW => RESOLVED

Comment 5 David GEIGER 2019-03-13 13:07:07 CET 
(In reply to David Walser from comment #4)
> OK, I'll close this bug, but maybe when rc5 comes out we can push it as a
> bugfix update.

yes absolutely!