Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e4158ee1 by Sylvain Beucler at 2023-12-01T10:15:50+01:00
CVE-2023-40188/freerdp2: notes on ghsa inconsistencies
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -14856,7 +14856,12 @@ CVE-2023-40188 (FreeRDP is a free implementation of
the Remote Desktop Protocol
[bookworm] - freerdp2 <no-dsa> (Minor issue)
[bullseye] - freerdp2 <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq
+ NOTE: Upstream reported the following fix through
https://salsa.debian.org/-/snippets/662:
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/bdb3909a7713fb0b3d94c9676fe44d19de80eb4b
(2.11.0)
+ NOTE: But, the advisory is inconsistent: it references
'general_LumaToYUV444' and 'in', while the code
+ NOTE: excerpt and stack trace (which is strikingly similar to
CVE-2023-39354) are focused on 'rsc_rle_decode'.
+ NOTE: The commit bdb3909a above looks unrelated. Ubuntu used one of
CVE-2023-39354's patches:
+ NOTE:
https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a
(2.11.0)
CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
- freerdp2 <not-affected> (Vulnerable code introduced in 3.0.0-beta1)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pwf9-v5p9-ch4f
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4158ee1b0ca78e10923a10af742773779ab6dde
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4158ee1b0ca78e10923a10af742773779ab6dde
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
