Bug 32100 - freerdp with GSSAPI=on breaks remmina - only single RDP connection per instance, crashes on second attempt
Summary: freerdp with GSSAPI=on breaks remmina - only single RDP connection per instan...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://github.com/FreeRDP/FreeRDP/is...
Whiteboard: MGA9-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-07-13 12:49 CEST by Christian Lohmaier
Modified: 2023-08-23 21:58 CEST (History)
6 users (show)

See Also:
Source RPM: freerdp-2.9.0-1.mga8.src.rpm, remmina-1.4.19-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Christian Lohmaier 2023-07-13 12:49:33 CEST 
Description of problem:
only a single RDP session can be initiated with remmina, trying to connect to the same host again after closing it or trying to open a second connection to a different host crashes.
Only way to connect to another rdp host is to constantly restart remmina

Version-Release number of selected component (if applicable):
2.9.0

How reproducible:
100%, see also bugzilla-URL field for upstream ticket of freerdp and https://gitlab.com/Remmina/Remmina/-/issues/1435

Steps to Reproduce:
1. start remmina
2. connect to a machine via RDP
3. close the connection and try to reconnect, or try to open a connection to a different host

→ crash.

RPM changelog just says "enable gssapi support" but not why it was enabled. So easiest fix would be to disable that.
Comment 1 Lewis Smith 2023-07-13 21:19:25 CEST 
Unsure whether this is to do with 'freerdp' or 'remmina'. The given URLs mention both in their comments, but not consistently:

for Arch users installing AUR freerdp-git solves the problem.

confirm this works on my machine, on Fedora 38, using Remmina 1.4.30
WITH_GSSAPI=ON
 but conversely...
For the Fedora users, I disabled the GSS support in the Fedora branches
 and
arch ... have to compile freerdp without kerberos support. -DWITH_GSSAPI=OFF

freerdp-2.9.0-1 for M8, freerdp-2.10.0-1 for M9
remmina-1.4.19-1 for M8, remmina-1.4.30-2 for M9.

Assigning to DavidG who mostly deals with these pkg; CC'ing NicolasS who has also maintained them recently. It is possible that M9 is OK.

Source RPM: freerdp-2.9.0-1.mga8.src.rpm => freerdp-2.9.0-1.mga8.src.rpm, remmina-1.4.19-1.mga8.src.rpm
Assignee: bugsquad => geiger.david68210
CC: (none) => nicolas.salguero

Comment 2 Christian Lohmaier 2023-07-14 12:40:14 CEST 
it is for freerdp - freerdp needs to be compiled with GSSAPI off for remmina to work.
Chaning remmina doesn't help since freerdp doesn't properly use different credentials for different connections.

freerdp 2.10 is affected as well, although more gracefully, remmina doesn't completely crash anymore, but just "fails to connect" to subsequent hosts unless freerdp is compiled wihout gssapi.

So unless the gss-conditional in the spec file was flipped/mageia still defaults to GSSAPI=ON then cauldron/9 is affected as well.

remmina 1.4.19 or 1.4.30 doesn't make a difference.
Comment 3 Christian Lohmaier 2023-07-14 12:43:34 CEST 
re the fedora comment: they still have it disabled ( https://src.fedoraproject.org/rpms/freerdp/blob/rawhide/f/freerdp.spec )
Comment 4 David GEIGER 2023-07-14 13:08:18 CEST 
Once mga9 released I'll do this change for both mga8 and mga9!
Comment 5 David GEIGER 2023-08-01 07:36:16 CEST 
Assigning to QA,


Packages in 8/Core/Updates_testing:
======================
freerdp-2.9.0-1.1.mga8
lib64freerdp-devel-2.9.0-1.1.mga8
lib64freerdp2-2.9.0-1.1.mga8
libfreerdp-devel-2.9.0-1.1.mga8
libfreerdp2-2.9.0-1.1.mga8

Packages in 9/Core/Updates_testing:
======================
lib64freerdp2-2.10.0-2.mga9
lib64freerdp-devel-2.10.0-2.mga9
libfreerdp2-2.10.0-2.mga9
libfreerdp-devel-2.10.0-2.mga9
freerdp-2.10.0-2.mga9

Frpm SRPMS:
freerdp-2.9.0-1.1.mga8.src.rpm
freerdp-2.10.0-2.mga9.src.rpm

Assignee: geiger.david68210 => qa-bugs

Comment 6 Herman Viaene 2023-08-01 13:54:41 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
As in bug 30392 run on remote desktop
$ freerdp-shadow-cli /port:3984 /monitors:0
and then on the test laptop
$ xfreerdp /v:<server>:3984 /u:<user> /p:<password>
[13:37:02:838] [84663:84664] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a s$ xfreerdp /v:<server>:3984 /u:<user> /p:<password>
[13:37:02:838] [84663:84664] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[13:37:02:838] [84663:84664] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:37:02:873] [84663:84664] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[13:37:02:873] [84663:84664] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:37:02:873] [84663:84664] [ERROR][com.freerdp.core] - freerdp_post_connect failed
[tester8@mach7 ~]$ xfreerdp /v:<server>:3984 /u:<user> /p:<password>
[13:41:11:862] [84935:84936] [INFO][com.freerdp.crypto] - creating directory /home/tester8/.config/freerdp
[13:41:11:862] [84935:84936] [INFO][com.freerdp.crypto] - creating directory [/home/tester8/.config/freerdp/certs]
[13:41:11:863] [84935:84936] [INFO][com.freerdp.crypto] - created directory [/home/tester8/.config/freerdp/server]
[13:41:12:931] [84935:84936] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[13:41:12:931] [84935:84936] [WARN][com.freerdp.crypto] - CN = <server>
Certificate details for <server>:3984 (RDP-Server):
	Common Name: <server>
	Subject:     CN = <server>
	Issuer:      CN = <server>
	Thumbprint:  84:20:56:e9:8c:a2:4c:64:50:92:cf:5b:0c:ad:4b:5a:c6:59:e3:dc:d9:a1:4d:c1:18:68:bb:40:02:dc:50:02
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y
[13:41:24:238] [84935:84936] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[13:41:24:238] [84935:84936] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[13:41:24:405] [84935:84936] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[13:41:24:405] [84935:84936] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
^C[13:42:54:758] [84935:84935] [ERROR][com.freerdp.utils] - Caught signal 'Interrupt' [2]
[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 0: /usr/bin/../lib64/libwinpr2.so.2(+0x560a0) [0x7f5e6933e0a0]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 1: /usr/bin/../lib64/libwinpr2.so.2(winpr_log_backtrace_ex+0x20) [0x7f5e6933cf60]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 2: /usr/bin/../lib64/libfreerdp2.so.2(+0x30e3e) [0x7f5e69594e3e]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 3: /usr/bin/../lib64/libc.so.6(+0x3b510) [0x7f5e69159510]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 4: /usr/bin/../lib64/libc.so.6(__poll+0x4f) [0x7f5e6920a1bf]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 5: /usr/bin/../lib64/libwinpr2.so.2(+0x3ad99) [0x7f5e69322d99]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 6: /usr/bin/../lib64/libwinpr2.so.2(WaitForSingleObjectEx+0x473) [0x7f5e69325153]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 7: xfreerdp() [0x407398]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 8: /usr/bin/../lib64/libc.so.6(__libc_start_main+0xea) [0x7f5e69145e2a]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 9: xfreerdp(_start+0x2a) [0x40742a]
ystem error 32: Broken pipe
[13:37:02:838] [84663:84664] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:37:02:873] [84663:84664] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[13:37:02:873] [84663:84664] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:37:02:873] [84663:84664] [ERROR][com.freerdp.core] - freerdp_post_connect failed
[tester8@mach7 ~]$ xfreerdp /v:<server>:3984 /u:<user> /p:<password>
[13:41:11:862] [84935:84936] [INFO][com.freerdp.crypto] - creating directory /home/tester8/.config/freerdp
[13:41:11:862] [84935:84936] [INFO][com.freerdp.crypto] - creating directory [/home/tester8/.config/freerdp/certs]
[13:41:11:863] [84935:84936] [INFO][com.freerdp.crypto] - created directory [/home/tester8/.config/freerdp/server]
[13:41:12:931] [84935:84936] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[13:41:12:931] [84935:84936] [WARN][com.freerdp.crypto] - CN = <server>
Certificate details for <server>:3984 (RDP-Server):
	Common Name: <server>
	Subject:     CN = <server>
	Issuer:      CN = <server>
	Thumbprint:  84:20:56:e9:8c:a2:4c:64:50:92:cf:5b:0c:ad:4b:5a:c6:59:e3:dc:d9:a1:4d:c1:18:68:bb:40:02:dc:50:02
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y
[13:41:24:238] [84935:84936] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[13:41:24:238] [84935:84936] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[13:41:24:405] [84935:84936] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[13:41:24:405] [84935:84936] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
^C[13:42:54:758] [84935:84935] [ERROR][com.freerdp.utils] - Caught signal 'Interrupt' [2]
[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 0: /usr/bin/../lib64/libwinpr2.so.2(+0x560a0) [0x7f5e6933e0a0]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 1: /usr/bin/../lib64/libwinpr2.so.2(winpr_log_backtrace_ex+0x20) [0x7f5e6933cf60]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 2: /usr/bin/../lib64/libfreerdp2.so.2(+0x30e3e) [0x7f5e69594e3e]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 3: /usr/bin/../lib64/libc.so.6(+0x3b510) [0x7f5e69159510]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 4: /usr/bin/../lib64/libc.so.6(__poll+0x4f) [0x7f5e6920a1bf]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 5: /usr/bin/../lib64/libwinpr2.so.2(+0x3ad99) [0x7f5e69322d99]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 6: /usr/bin/../lib64/libwinpr2.so.2(WaitForSingleObjectEx+0x473) [0x7f5e69325153]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 7: xfreerdp() [0x407398]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 8: /usr/bin/../lib64/libc.so.6(__libc_start_main+0xea) [0x7f5e69145e2a]

[13:42:54:759] [84935:84935] [ERROR][com.freerdp.utils] - 9: xfreerdp(_start+0x2a) [0x40742a]

And I see the current desktop of the server.
This shows the basic working of freerdp, but I'm not sure in view of the discussion above whether this is sufficient.

CC: (none) => herman.viaene

Comment 7 Brian Rockwell 2023-08-06 03:27:11 CEST 
MGA9-64

Installed without issue.  I was able to connect multiple xfreerdp sessions without any issues.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => brtians1

Comment 8 Brian Rockwell 2023-08-06 03:48:02 CEST 
MGA8-64

The following 2 packages are going to be installed:

- freerdp-2.9.0-1.1.mga8.x86_64
- lib64freerdp2-2.9.0-1.1.mga8.x86_64

12KB of disk space will be freed.

tested dual logins.  also tried drop and reconnect with no issues.

Note I was using xfreerdp not remmina.

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA8-64-OK

Comment 9 Brian Rockwell 2023-08-06 04:33:09 CEST 
MGA9 - Xfce

messed with Remmina - it seems to be working as well
Comment 10 Christian Lohmaier 2023-08-07 14:13:47 CEST 
FYI: also confirming working with the packages from testing on mga8 - thx!
Comment 11 Thomas Andrews 2023-08-11 14:17:13 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-08-20 21:19:25 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Mageia Robot 2023-08-23 21:58:06 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2023-0055.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.