rdesktop 1.5.0 multiple remote vulnerabilities [CVE-2008-1801, -1802, -1803]
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | rdesktop (Ubuntu) |
Undecided
|
Unassigned | ||
| | Dapper |
Undecided
|
Jamie Strandboge | ||
| | Feisty |
Undecided
|
Jamie Strandboge | ||
| | Gutsy |
Undecided
|
Jamie Strandboge | ||
| | Hardy |
Undecided
|
Jamie Strandboge | ||
Bug Description
Binary package hint: rdesktop
* CVE-2008-1801: iso_recv_msg() integer underflow
Description by iDefense:
"Remote exploitation of an integer underflow vulnerability in rdesktop
[...] allows attackers to execute arbitrary code with the privileges of
the logged-in user.
The vulnerability exists within the code responsible for reading in an
RDP request. When reading a request, a 16-bit integer value that
represents the number of bytes that follow is taken from the packet.
This value is then decremented by 4, and used to calculate how many
bytes to read into a heap buffer. The subtraction operation can
underflow, which will then lead to the heap buffer being overflowed."
Addressed in CVS revision 1.20 of iso.c
http://
Original advisory: http://
* CVE-2008-1802: process_
Description by iDefense:
"Remote exploitation of a BSS overflow vulnerability in rdesktop [...]
allows attackers to execute arbitrary code with the privileges of the
logged-in user.
The vulnerability exists within the code responsible for reading in an
RDP redirect request. This request is used to redirect an RDP
connection from one server to another. When parsing the redirect
request, the rdesktop client reads several 32-bit integers from the
request packet. These integers are then used to control the number of
bytes read into statically allocated buffers. This results in several
buffers located in the BSS section being overflowed, which can lead to
the execution of arbitrary code."
Addressed in CVS revision 1.102 of rdp.c
http://
Original advisory: http://
* CVE-2008-1803: channel_process() integer signedness vulnerability
Description by iDefense:
"Remote exploitation of an integer signedness vulnerability in rdesktop
[...] allows attackers to execute arbitrary code with the privileges of
the logged-in user.
The vulnerability exists within the code responsible for reallocating
dynamic buffers. The rdesktop xrealloc() function uses a signed
comparison to determine if the requested allocation size is less than
1. When this occurs, the function will incorrectly set the allocation
size to be 1. This results in an improperly sized heap buffer being
allocated, which can later be overflowed."
Addressed in CVS revision 1.162 of rdesktop.c
http://
Original advisory: http://
| Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote | #1 |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in rdesktop: | |
| status: | New → Fix Released |
| Till Ulen (tillulen) wrote | #3 |
| Changed in rdesktop: | |
| status: | Fix Released → Fix Committed |
| Changed in rdesktop: | |
| status: | Fix Committed → Fix Released |
| Changed in rdesktop: | |
| assignee: | nobody → jdstrand |
| status: | New → Triaged |
| assignee: | nobody → jdstrand |
| status: | New → Triaged |
| assignee: | nobody → jdstrand |
| status: | New → Triaged |
| assignee: | nobody → jdstrand |
| status: | New → Triaged |
| Changed in rdesktop: | |
| status: | Triaged → Fix Committed |
| status: | Triaged → Fix Committed |
| status: | Triaged → Fix Committed |
| status: | Triaged → Fix Committed |
| Launchpad Janitor (janitor) wrote | #4 |
| Launchpad Janitor (janitor) wrote | #5 |
| Launchpad Janitor (janitor) wrote | #6 |
| Changed in rdesktop: | |
| status: | Fix Committed → Fix Released |
| status: | Fix Committed → Fix Released |
| status: | Fix Committed → Fix Released |
| Jamie Strandboge (jdstrand) wrote | #7 |
| Changed in rdesktop: | |
| status: | Fix Committed → Fix Released |
This bug has been fixed in rdesktop 1.6.0, please bump the version.