Your message dated Mon, 15 Jul 2024 15:10:04 +0000
with message-id <e1stnl2-00b2aj...@fasolo.debian.org>
and subject line Bug#1069728: fixed in freerdp2 2.11.7+dfsg1-1
has caused the Debian Bug report #1069728,
regarding freerdp2: CVE-2024-32039 CVE-2024-32040 CVE-2024-32041 CVE-2024-32458
CVE-2024-32459 CVE-2024-32460
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1069728: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069728
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: freerdp2
Version: 2.11.5+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for freerdp2.
CVE-2024-32039[0]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or
| 2.11.6 are vulnerable to integer overflow and out-of-bounds write.
| Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not
| use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it
| is on by default).
CVE-2024-32040[1]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients that use a version of FreeRDP prior to 3.5.0
| or 2.11.6 and have connections to servers using the `NSC` codec are
| vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the
| issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`).
CVE-2024-32041[2]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients that use a version of FreeRDP prior to 3.5.0
| or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and
| 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by
| default, set `/bpp` or `/rfx` options instead.
CVE-2024-32458[3]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients that use a version of FreeRDP prior to 3.5.0
| or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and
| 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes
| (on by default, require server side support).
CVE-2024-32459[4]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based clients and servers that use a version of FreeRDP
| prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read.
| Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are
| available.
CVE-2024-32460[5]:
| FreeRDP is a free implementation of the Remote Desktop Protocol.
| FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing
| path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are
| vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch
| the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or
| `/gfx` options). The workaround requires server side support.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-32039
https://www.cve.org/CVERecord?id=CVE-2024-32039
[1] https://security-tracker.debian.org/tracker/CVE-2024-32040
https://www.cve.org/CVERecord?id=CVE-2024-32040
[2] https://security-tracker.debian.org/tracker/CVE-2024-32041
https://www.cve.org/CVERecord?id=CVE-2024-32041
[3] https://security-tracker.debian.org/tracker/CVE-2024-32458
https://www.cve.org/CVERecord?id=CVE-2024-32458
[4] https://security-tracker.debian.org/tracker/CVE-2024-32459
https://www.cve.org/CVERecord?id=CVE-2024-32459
[5] https://security-tracker.debian.org/tracker/CVE-2024-32460
https://www.cve.org/CVERecord?id=CVE-2024-32460
[6] https://www.freerdp.com/2024/04/17/2_11_6-release
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: freerdp2
Source-Version: 2.11.7+dfsg1-1
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
freerdp2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated freerdp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 Jul 2024 16:46:25 +0200
Source: freerdp2
Architecture: source
Version: 2.11.7+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-rem...@lists.debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 1069728 1073156
Changes:
freerdp2 (2.11.7+dfsg1-1) unstable; urgency=medium
.
[ Mike Gabriel ]
* New upstream release. (Closes: #1069728).
+ CVE-2024-32041 [Low[ OutOfBound Read in zgfx_decompress_segment.
+ CVE-2024-32039 [Moderate] Integer overflow & OutOfBound Write in
clear_decompress_residual_data.
+ CVE-2024-32040 [Low] integer underflow in nsc_rle_decode.
+ CVE-2024-32458 [Low] OutOfBound Read in planar_skip_plane_rle.
+ CVE-2024-32459 [Low] OutOfBound Read in ncrush_decompress.
+ CVE-2024-32460 [Low] OutOfBound Read in interleaved_decompress.
.
[ Nathan Pratta Teodosio ]
* Add autopkgtest to test whether a client can connect
to an XRDP server via freerdp2 and that the login screen shows up
(Closes: #1073156) (LP: #2060976)
Checksums-Sha1:
153e2ee8e4e56b49ba90dc9f8793befc615cc79e 3630 freerdp2_2.11.7+dfsg1-1.dsc
245165e9a6a8b09d41f4a81a05986bb0793d8ea4 2272440
freerdp2_2.11.7+dfsg1.orig.tar.xz
135c34660e45274d85ceabba77c2e826cd0edc12 46364
freerdp2_2.11.7+dfsg1-1.debian.tar.xz
5e54a3b38c9aa2ff665835801dec3e0772157277 14585
freerdp2_2.11.7+dfsg1-1_source.buildinfo
Checksums-Sha256:
7364ac3684e392dae035df826e6c5d64455ce2dbdfd9e994d4d7d49269abe442 3630
freerdp2_2.11.7+dfsg1-1.dsc
27339a725e5bc4af867cd3f4825b1dbffced05a1fe1487b1e0baea7649050a58 2272440
freerdp2_2.11.7+dfsg1.orig.tar.xz
32b3d4fe64b55a00f968a0d2201b8525bdd39b4600f487edc1b8dbad519549c1 46364
freerdp2_2.11.7+dfsg1-1.debian.tar.xz
20df1e18caa159cc8d176859431c840629370ba38a7c651158538921ac38cb90 14585
freerdp2_2.11.7+dfsg1-1_source.buildinfo
Files:
f475c445dde35b95b951f6661b549aa4 3630 x11 optional freerdp2_2.11.7+dfsg1-1.dsc
5aaf33f976ccce406af7f44affb1edee 2272440 x11 optional
freerdp2_2.11.7+dfsg1.orig.tar.xz
578626a7f4e1d0061990f95b672d87ab 46364 x11 optional
freerdp2_2.11.7+dfsg1-1.debian.tar.xz
837d3e68a76a0d0338cdc51d97d075d0 14585 x11 optional
freerdp2_2.11.7+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmaVN2UVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxrikP/0PWw8Wzv2O0RebSaeX7+EcQLNPq
zCq2Tk5yMcQejCUZEbngkNvUPVSqfAe9mqJj0g7XrWtLOiOYdaWHmKs1oBmLpTe3
p7T6T7+I4llsKxCMBXTRJcr/VoxPO3PkVNlxHbf+4QWmcOezb+mQ7w3ESYyZSrww
3o54crmB8XgDSkNSYZeMLE/2bnsU9ZrnOhaS+8RbCEITYDEjzshyAtGkptwjsOx8
8fSuMPxQy7wShKCjuYeoW92bvoqBxJCbD1EZscVYp94dMMi9KTHWKPkP+gu3IXc3
9ZOmTTO4FDMVwWIfwpRiVdguL+8TkEJbLPoiIuNoJi6fN0igUdMQ9OqC9R7SQc4a
wvAuRMSxCSbbT2iuBicL+Q2hKfJYli1Cqe3cYKzHz/ah7veiqpKQ/o17aYW5/H9C
nH+eHRwrGXsJHPxngdXss5jckQg6TqlBQ1j55tz7S/RGFyxl5iTB2K1BZjV9S6RC
O6/JrkqR3aF2wt4/lN5ZDM7Lk7ipD5pNryYwAfTexq1u2qR6m1wC7iINnv5eVGRX
lSNkdP2X+LIfjAzghEu4Acn0TLs/4xdgCr6vENJgZ1kak5zNgrO+WIfcHTlciEQD
TKxB6EvFjz0p5/PKv71OUIoRYOKv40IN0sqptKMQ+b950pnn8cpszEZAQeRsYzg+
xfrfidLLK/EmCKbG
=KAUQ
-----END PGP SIGNATURE-----
pgpVfU8IGVRry.pgp
Description: PGP signature
--- End Message ---
