Bug#511641: marked as done (xrdp: CVE-2008-590[2-4] arbitrary code execution)

[Debian Bug Tracking System]

Your message dated Sun, 25 Jan 2009 00:18:18 +0000
with message-id <e1lqshe-0002wc...@ries.debian.org>
and subject line Bug#511641: fixed in xrdp 0.4.0~dfsg-9
has caused the Debian Bug report #511641,
regarding xrdp: CVE-2008-590[2-4] arbitrary code execution
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
511641: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511641
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: xrdp
Severity: grave
Tags: security
Justification: user security hole

Several vulnerabilities in xrdp have been spotted on the oss-security
list. Please see this PDF for details:

http://packetstormsecurity.org/0812-advisories/VA_VD_87_08_XRDP.pdf

Cheers,
        Moritz

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages xrdp depends on:
ii  adduser                       3.110      add and remove users and groups
ii  libc6                         2.7-16     GNU C Library: Shared libraries
ii  libpam0g                      1.0.1-4    Pluggable Authentication Modules l
ii  libssl0.9.8                   0.9.8g-14  SSL shared libraries

Versions of packages xrdp recommends:
pn  vnc4server | tightvncserver | <none>     (no description available)

xrdp suggests no packages.

--- End Message ---

--- Begin Message ---

Source: xrdp
Source-Version: 0.4.0~dfsg-9

We believe that the bug you reported is fixed in the latest version of
xrdp, which is due to be installed in the Debian FTP archive:

xrdp_0.4.0~dfsg-9.diff.gz
  to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9.diff.gz
xrdp_0.4.0~dfsg-9.dsc
  to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9.dsc
xrdp_0.4.0~dfsg-9_amd64.deb
  to pool/main/x/xrdp/xrdp_0.4.0~dfsg-9_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 511...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Bernat <ber...@debian.org> (supplier of updated xrdp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 Jan 2009 21:29:14 +0100
Source: xrdp
Binary: xrdp
Architecture: source amd64
Version: 0.4.0~dfsg-9
Distribution: unstable
Urgency: high
Maintainer: Vincent Bernat <ber...@debian.org>
Changed-By: Vincent Bernat <ber...@debian.org>
Description: 
 xrdp       - Remote Desktop Protocol (RDP) server
Closes: 511641
Changes: 
 xrdp (0.4.0~dfsg-9) unstable; urgency=high
 .
   * Fix CVE-2008-5902 and CVE-2008-5904 with the help of patches proposed
     by Ondrej Kolacek. The patch fixing CVE-2008-5902 also happens to fix
     CVE-2008-5903 by checking boundary before calling add_char_at(). This
     closes: #511641.
   * Really add patch to fix monochrome cursor issue.
   * Also updates Standards-Version and add ${misc:Depends} macro.
   * Don't use Pa macro in xrdp-keygen manual page.
Checksums-Sha1: 
 ded6f104fc0f799b14193f8719d847600e587f85 1159 xrdp_0.4.0~dfsg-9.dsc
 dd2d59a2e4368fea609f30eb16156b76abb6e188 21129 xrdp_0.4.0~dfsg-9.diff.gz
 e4d140c7b52d9890e12e84352634102e49788549 228688 xrdp_0.4.0~dfsg-9_amd64.deb
Checksums-Sha256: 
 5665b7a615f3e2f60c07b67c77d5cc0cbf4a1497218df9e104535d02c6ac3c88 1159 
xrdp_0.4.0~dfsg-9.dsc
 463272a455bf229b13bcbcec8fd549129a5e8dcc1d345dca97516f4f7c778306 21129 
xrdp_0.4.0~dfsg-9.diff.gz
 d27d7878fc5a0db8e779156f5ea03b6735f515965bcf06516f655ee11b2e9b82 228688 
xrdp_0.4.0~dfsg-9_amd64.deb
Files: 
 5c5cb881520c9f0e8700cfe5fb352900 1159 net optional xrdp_0.4.0~dfsg-9.dsc
 2bf52294a895c96151e6a77d89a0e79a 21129 net optional xrdp_0.4.0~dfsg-9.diff.gz
 9d136b98b4346d312425ef3fbfc82071 228688 net optional 
xrdp_0.4.0~dfsg-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl7olsACgkQKFvXofIqeU7QEQCdFqr5SU5Hs1acM3BkbACDb7Wh
WeQAn0l0nDvdeo19hWdIUQrtWU5H+lFe
=7JJO
-----END PGP SIGNATURE-----

--- End Message ---