rdesktop 1.5.0 multiple remote vulnerabilities [CVE-2008-1801, -1802, -1803]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| rdesktop (Ubuntu) |
Undecided
|
Unassigned | ||
| Dapper |
Undecided
|
Jamie Strandboge | ||
| Feisty |
Undecided
|
Jamie Strandboge | ||
| Gutsy |
Undecided
|
Jamie Strandboge | ||
| Hardy |
Undecided
|
Jamie Strandboge |
Bug Description
Binary package hint: rdesktop
* CVE-2008-1801: iso_recv_msg() integer underflow
Description by iDefense:
"Remote exploitation of an integer underflow vulnerability in rdesktop
[...] allows attackers to execute arbitrary code with the privileges of
the logged-in user.
The vulnerability exists within the code responsible for reading in an
RDP request. When reading a request, a 16-bit integer value that
represents the number of bytes that follow is taken from the packet.
This value is then decremented by 4, and used to calculate how many
bytes to read into a heap buffer. The subtraction operation can
underflow, which will then lead to the heap buffer being overflowed."
Addressed in CVS revision 1.20 of iso.c
http://
Original advisory: http://
* CVE-2008-1802: process_
Description by iDefense:
"Remote exploitation of a BSS overflow vulnerability in rdesktop [...]
allows attackers to execute arbitrary code with the privileges of the
logged-in user.
The vulnerability exists within the code responsible for reading in an
RDP redirect request. This request is used to redirect an RDP
connection from one server to another. When parsing the redirect
request, the rdesktop client reads several 32-bit integers from the
request packet. These integers are then used to control the number of
bytes read into statically allocated buffers. This results in several
buffers located in the BSS section being overflowed, which can lead to
the execution of arbitrary code."
Addressed in CVS revision 1.102 of rdp.c
http://
Original advisory: http://
* CVE-2008-1803: channel_process() integer signedness vulnerability
Description by iDefense:
"Remote exploitation of an integer signedness vulnerability in rdesktop
[...] allows attackers to execute arbitrary code with the privileges of
the logged-in user.
The vulnerability exists within the code responsible for reallocating
dynamic buffers. The rdesktop xrealloc() function uses a signed
comparison to determine if the requested allocation size is less than
1. When this occurs, the function will incorrectly set the allocation
size to be 1. This results in an improperly sized heap buffer being
allocated, which can later be overflowed."
Addressed in CVS revision 1.162 of rdesktop.c
http://
Original advisory: http://
Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package rdesktop - 1.6.0-0ubuntu1
---------------
rdesktop (1.6.0-0ubuntu1) intrepid; urgency=low
* merge new upstream version. LP: #235160
* new upstream fixes security issues. LP: #228193
* replace x-dev with libx11-dev in build-depends.
* build with alsa support. add libasound2-dev and libsamplerate to build
dependencies. LP: #231997
-- Reinhard Tartler <email address hidden> Tue, 27 May 2008 23:48:23 +0200
Changed in rdesktop: | |
status: | New → Fix Released |
Till Ulen (tillulen) wrote : | #3 |
What about the releases before Intrepid?
Changed in rdesktop: | |
status: | Fix Released → Fix Committed |
Changed in rdesktop: | |
status: | Fix Committed → Fix Released |
Changed in rdesktop: | |
assignee: | nobody → jdstrand |
status: | New → Triaged |
assignee: | nobody → jdstrand |
status: | New → Triaged |
assignee: | nobody → jdstrand |
status: | New → Triaged |
assignee: | nobody → jdstrand |
status: | New → Triaged |
Changed in rdesktop: | |
status: | Triaged → Fix Committed |
status: | Triaged → Fix Committed |
status: | Triaged → Fix Committed |
status: | Triaged → Fix Committed |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package rdesktop - 1.5.0-3+
---------------
rdesktop (1.5.0-
* SECURITY UPDATE: fix integer overflow in iso.c that could cause denial
of service or possibly remote code execution
* SECURITY UPDATE: fix buffer overflow in rdp.c that could cause allow
remote code execution via redirect requests
* SECURITY UPDATE: fix integer signedness error that may allow remote
code execution via heap-based overflow
* References
CVE-2008-1801
CVE-2008-1802
CVE-2008-1803
LP: #228193
-- Jamie Strandboge <email address hidden> Tue, 16 Sep 2008 18:11:42 -0500
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package rdesktop - 1.5.0-2ubuntu0.1
---------------
rdesktop (1.5.0-2ubuntu0.1) gutsy-security; urgency=low
* SECURITY UPDATE: fix integer overflow in iso.c that could cause denial
of service or possibly remote code execution
* SECURITY UPDATE: fix buffer overflow in rdp.c that could cause allow
remote code execution via redirect requests
* SECURITY UPDATE: fix integer signedness error that may allow remote
code execution via heap-based overflow
* References
CVE-2008-1801
CVE-2008-1802
CVE-2008-1803
LP: #228193
-- Jamie Strandboge <email address hidden> Tue, 16 Sep 2008 18:19:00 -0500
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package rdesktop - 1.5.0-1ubuntu1.1
---------------
rdesktop (1.5.0-1ubuntu1.1) feisty-security; urgency=low
* SECURITY UPDATE: fix integer overflow in iso.c that could cause denial
of service or possibly remote code execution
* SECURITY UPDATE: fix buffer overflow in rdp.c that could cause allow
remote code execution via redirect requests
* SECURITY UPDATE: fix integer signedness error that may allow remote
code execution via heap-based overflow
* References
CVE-2008-1801
CVE-2008-1802
CVE-2008-1803
LP: #228193
-- Jamie Strandboge <email address hidden> Wed, 17 Sep 2008 16:00:53 -0500
Changed in rdesktop: | |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
status: | Fix Committed → Fix Released |
Jamie Strandboge (jdstrand) wrote : | #7 |
Changed in rdesktop: | |
status: | Fix Committed → Fix Released |
This bug has been fixed in rdesktop 1.6.0, please bump the version.