Bug 25815

Summary: freerdp new security issues CVE-2019-17177 and CVE-2019-17178
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, joselp, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: freerdp-2.0.0-0.rc4.1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-12-03 22:46:52 CET 
openSUSE has issued an advisory on December 2:
https://lists.opensuse.org/opensuse-updates/2019-12/msg00012.html

Mageia 7 is also affected.
David Walser 2019-12-03 22:47:04 CET

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2019-12-04 08:05:54 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-12-04 13:48:15 CET 
Advisory:
========================

Updated freerdp packages fix security vulnerabilities:

Multiple memory leaks in libfreerdp/codec/region.c (CVE-2019-17177).

Memory leak in HuffmanTree_makeFromFrequencies (CVE-2019-17178).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17178
https://lists.opensuse.org/opensuse-updates/2019-12/msg00012.html
========================

Updated packages in core/updates_testing:
========================
freerdp-2.0.0-0.rc4.1.1.mga7
libfreerdp2-2.0.0-0.rc4.1.1.mga7
libfreerdp-devel-2.0.0-0.rc4.1.1.mga7

from freerdp-2.0.0-0.rc4.1.1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 3 Jose Manuel López 2019-12-04 14:05:22 CET 
I've installed remmina with freerdp 2.0 in Mageia Virtualbox 7.1 Plasma.

Works fine. I can go to remote desktop without problems.

Greetings!!

CC: (none) => joselp

Comment 4 Herman Viaene 2019-12-07 10:36:37 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
I cann't go any further than clean install, since I have no Windows version I can test again (rdp blocked in Windows 10 Home)

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-12-18 22:49:11 CET 
Jose, when you post about a test, please state whether you tested the 64-bit or 32-bit version, or both. If you are satisfied that your test shows no problems, you can put an "OK" in the Whiteboard box. For Mageia 7, use "MGA7-64-OK" or "MGA7-32-OK" whichever is appropriate. If the developers assigned to the bug think your test is inadequate for some reason, they will let you know.

Giving this a 64-bit OK based on Herman's clean install and Jose's test. Validating. Advisory information in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-12-19 13:31:38 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-12-19 14:46:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0401.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED