Bug 21427 - freerdp new security issues CVE-2017-283[4-9]
Summary: freerdp new security issues CVE-2017-283[4-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA6-32-OK
Keywords: validated_update
Depends on:
Blocks: 21448
  Show dependency treegraph
 
Reported: 2017-08-01 03:14 CEST by David Walser
Modified: 2017-08-04 22:45 CEST (History)
3 users (show)

See Also:
Source RPM: freerdp-2.0.0-0.rc0.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-01 03:14:24 CEST
Fedora has issued an advisory today (July 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNO6AUPEMWZQNGI7PEVPRUZD3OFNCQ4R/

Here's the Talos advisory:
http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html

The RedHat bugs have links to the upstream commits to fix the issues.

Mageia 6 is also affected.
David Walser 2017-08-01 03:14:32 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2017-08-01 08:28:55 CEST
After checking the code for freerdp-2.0.0-rc0 on Cauldron I can confirm that these multiple security issues are already included in the source tarball, the release 2.0.0-rc0 come from the commit https://github.com/FreeRDP/FreeRDP/commit/1648deb435ad52206f7aa2afe4b4dff71d9329bc

https://github.com/FreeRDP/FreeRDP/releases/tag/2.0.0-rc0


For mga6 I think that it would be better to update also freerdp to the "First release candidate for 2.0.0" but I must also update remmina to the latest 1.2.0-rcgit.19 release and also I must do a rebuild for vinagre against new freerdp.

WDYT? Can I go for this?
Comment 2 David Walser 2017-08-01 13:34:48 CEST
Yes, go for it.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 David GEIGER 2017-08-01 23:40:40 CEST
So, done for mga6!

- freerdp-2.0.0-0.rc0.1.mga6.srpm
- remmina-1.2.0-0.rcgit.19.1.mga6.srpm
- vinagre-3.22.0-3.1.mga6.srpm
Comment 4 David Walser 2017-08-02 03:26:57 CEST
Thanks David!

Advisory:
========================

Updated freerdp packages fix security vulnerabilities:

An exploitable code execution vulnerability exists in the authentication
functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server
response can cause an out-of-bounds write resulting in an exploitable
condition. An attacker can compromise the server or use a man in the middle
attack to trigger this vulnerability (CVE-2017-2834).

An exploitable code execution vulnerability exists in the RDP receive
functionality of FreeRDP 2.0.0-beta1+android11. A specially crafted server
response can cause an out-of-bounds write resulting in an exploitable
condition. An attacker can compromise the server or use a man in the middle to
trigger this vulnerability (CVE-2017-2835).

An exploitable denial of service vulnerability exists within the reading of
proprietary server certificates in FreeRDP 2.0.0-beta1+android11. A specially
crafted challenge packet can cause the program termination leading to a denial
of service condition. An attacker can compromise the server or use man in the
middle to trigger this vulnerability (CVE-2017-2836).

An exploitable denial of service vulnerability exists within the handling of
security data in FreeRDP 2.0.0-beta1+android11. A specially crafted challenge
packet can cause the program termination leading to a denial of service
condition. An attacker can compromise the server or use man in the middle to
trigger this vulnerability (CVE-2017-2837).

An exploitable denial of service vulnerability exists within the handling of
challenge packets in FreeRDP 2.0.0-beta1+android11. A specially crafted
challenge packet can cause the program termination leading to a denial of
service condition. An attacker can compromise the server or use man in the
middle to trigger this vulnerability (CVE-2017-2838, CVE-2017-2839).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2834
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2839
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341
http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JNO6AUPEMWZQNGI7PEVPRUZD3OFNCQ4R/
========================

Updated packages in core/updates_testing:
========================
freerdp-2.0.0-0.rc0.1.mga6
libfreerdp2-2.0.0-0.rc0.1.mga6
libfreerdp-devel-2.0.0-0.rc0.1.mga6
remmina-1.2.0-0.rcgit.19.1.mga6
remmina-devel-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-common-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-gnome-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-nx-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-rdp-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-spice-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-telepathy-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-vnc-1.2.0-0.rcgit.19.1.mga6
remmina-plugins-xdmcp-1.2.0-0.rcgit.19.1.mga6
vinagre-3.22.0-3.1.mga6

from SRPMS:
freerdp-2.0.0-0.rc0.1.mga6.src.rpm
remmina-1.2.0-0.rcgit.19.1.mga6.src.rpm
vinagre-3.22.0-3.1.mga6.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2017-08-03 14:34:47 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
Used remmina to connect to my desktop PC, picking SSH as transport. Looks OK

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 6 Rémi Verschelde 2017-08-03 18:52:03 CEST
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => advisory MGA6-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-08-03 21:06:49 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0243.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-08-04 22:45:04 CEST

Blocks: (none) => 21448


Note You need to log in before you can comment on or make changes to this bug.