Re: CVE Request -- FreeRDP: Multiple security fixes in 1.1.0-beta1 version

[Bernhard Miklautz <bmiklautz () thinstuff at>]

Hi Kurt,

On Thu, Jul 11, 2013 at 12:48:19PM -0600, Kurt Seifried wrote:
> > (some time ago) FreeRDP upstream has released 1.1.0-beta1 version: 
> > [1] http://sourceforge.net/mailarchive/message.php?msg_id=30591956
to clarify our current stable version is 1.0.2. FreeRDP version 1.1.0 is *beta* and 
still under development and therefore not stable or production ready and 
subject to frequent changes (as [1] also stated).

> > correcting multiple security flaws: * library / client side fixes: 
> > https://github.com/FreeRDP/FreeRDP/pull/887
> Can someone from upstream confirm if these are hardening or a security fix?
Hardening.

> > https://github.com/FreeRDP/FreeRDP/commit/0dc22d5a30a1c7d146b2a835b2032668127c33e9
> > https://github.com/FreeRDP/FreeRDP/commit/bceec083677a609ba2f06cc75924ab0accac5388
> Can someone from upstream confirm if these are hardening or a security fix?
Neither nor.

> > * server side fixes: 
> > https://github.com/FreeRDP/FreeRDP/commit/7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7
> Please use CVE-2013-4118 for this issue.

> > https://github.com/FreeRDP/FreeRDP/commit/0773bb9303d24473fe1185d85a424dfe159aff53
> Please use CVE-2013-4119 for this issue.

There might also be some misunderstanding. The initial CVE request stated that
1.1.0-beta1 corrected these flaws but as a matter of fact only the commits from pull request 
887 and commit 7d58aac24fe20ffaad7bd9b40c9ddf457c1b06e7 are contained. - The other issues are 
fixed in our git master branch. 

We've created a snapshot that contains all the fixes mentioned above:

http://pub.freerdp.com/releases/freerdp-1.1.0-beta+2013071101.tar.gz
md5: 108f8404b210ea789226cbca65c43724
sha1: a79d0174b0487abb900601c67572aa6dbfc12629

We will also review our current stable version to check if the issues 
exist there as well and publish an update if required.

Thank you,
best regards,
Bernhard