Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-12 Thread Mike Gabriel
Hi Moritz,

On Wednesday, 12 December 2018, Moritz Mühlenhoff wrote:
> On Wed, Dec 12, 2018 at 03:46:10PM +, Mike Gabriel wrote:
> > Hi Moritz,
> > 
> > On  Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:
> > 
> > > On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:
> > > > From my understanding the potential remote code executions that are
> > > > mentioned in the CVE descriptions are triggered by a malign server and 
> > > > the
> > > > code executions then happen on the client side.
> > > 
> > > Thanks for background.
> > > 
> > > Security issues only triggerable by a malicious RDP server are
> > > low impact, a malicious RDP server can mess with you in so many
> > > ways that client-side execution doesn't make a big difference.
> > > 
> > > This is certainly not something that would warrant an upgrade to
> > > freerdp2 in a stable release, but if patches for 1.1 materialise
> > > they could be shipped via a point update.
> > > 
> > > Cheers,
> > > Moritz
> > 
> > I will then look into patch backporting for LTS and upload them to stretch,
> > too, once I have got them worked out.
> 
> Ubuntu released an update earlier the day which also covered the 1.x
> versions, BTW.
> 

Nice! That will ease my day...

Mike

-- 
Sent from my Jolla

Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-12 Thread Moritz Mühlenhoff
On Wed, Dec 12, 2018 at 03:46:10PM +, Mike Gabriel wrote:
> Hi Moritz,
> 
> On  Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:
> 
> > On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:
> > > From my understanding the potential remote code executions that are
> > > mentioned in the CVE descriptions are triggered by a malign server and the
> > > code executions then happen on the client side.
> > 
> > Thanks for background.
> > 
> > Security issues only triggerable by a malicious RDP server are
> > low impact, a malicious RDP server can mess with you in so many
> > ways that client-side execution doesn't make a big difference.
> > 
> > This is certainly not something that would warrant an upgrade to
> > freerdp2 in a stable release, but if patches for 1.1 materialise
> > they could be shipped via a point update.
> > 
> > Cheers,
> > Moritz
> 
> I will then look into patch backporting for LTS and upload them to stretch,
> too, once I have got them worked out.

Ubuntu released an update earlier the day which also covered the 1.x
versions, BTW.

Cheers,
Moritz



Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-12 Thread Mike Gabriel

Hi Moritz,

On  Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote:


On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:

From my understanding the potential remote code executions that are
mentioned in the CVE descriptions are triggered by a malign server and the
code executions then happen on the client side.


Thanks for background.

Security issues only triggerable by a malicious RDP server are
low impact, a malicious RDP server can mess with you in so many
ways that client-side execution doesn't make a big difference.

This is certainly not something that would warrant an upgrade to
freerdp2 in a stable release, but if patches for 1.1 materialise
they could be shipped via a point update.

Cheers,
Moritz


I will then look into patch backporting for LTS and upload them to  
stretch, too, once I have got them worked out.


Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpoVU8C0pNsg.pgp
Description: Digitale PGP-Signatur


Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-11 Thread Jan Ingvoldstad

On 2018-12-11 22:15, Moritz Mühlenhoff wrote:

On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:

 From my understanding the potential remote code executions that are
mentioned in the CVE descriptions are triggered by a malign server and the
code executions then happen on the client side.


Thanks for background.

Security issues only triggerable by a malicious RDP server are
low impact, a malicious RDP server can mess with you in so many
ways that client-side execution doesn't make a big difference.


That rhetoric is dangerous and false.

What's next, vulnerabilities in Apache or Nginx that can trigger 
client-side vulnerabilities in Firefox are irrelevant, because …?


--
Cheers,
Jan



Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-11 Thread Moritz Mühlenhoff
On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote:
> From my understanding the potential remote code executions that are
> mentioned in the CVE descriptions are triggered by a malign server and the
> code executions then happen on the client side.

Thanks for background.

Security issues only triggerable by a malicious RDP server are
low impact, a malicious RDP server can mess with you in so many
ways that client-side execution doesn't make a big difference.

This is certainly not something that would warrant an upgrade to
freerdp2 in a stable release, but if patches for 1.1 materialise
they could be shipped via a point update.

Cheers,
Moritz



Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-11 Thread Antoine Beaupré
Gah. Forgot to fix the CC here as well, sorry for the noise.

On 2018-12-11 10:05:53, Antoine Beaupré wrote:
> On 2018-12-10 17:44:51, Mike Gabriel wrote:
>> Hi,
>>
>> I'd like to discuss the possible pathways for getting FreeRDP fixed in  
>> Debian jessie LTS (and Debian stretch, too).
>>
>> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam  
>> maintainers and the actual packager of FreeRDPv2 in Debian).
>>
>> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch
>> -
>>
>> He sketched up the following pathway for getting freerdp (v1.1) fixed  
>> in Debian jessie (and stretch):
>>
>>* Backport https://github.com/FreeRDP/FreeRDP/pull/4499
>>  -> required for FreeRDP in jessie/stretch to be able to connect  
>> to current RDP servers
>> (not a security issue, but a functionality issue due to  
>> Microsoft updates rolled out
>> during Q1 / 2018).
>>  -> estimated effort: 1-2h
>>
>>* CVE-2018-8785: not needed for jessie / stretch (code not present)
>>
>>* CVE-2018-8786,
>>  CVE-2018-8789: estimated hours for all three: 1-2h
>>
>>* CVE-2018-8787: estimated hours: 1-2h
>>* CVE-2018-8788: can be become quite an effort, estimated time: 2h++
>>
>>* CVE-2018-8784: not needed for jessie / stretch (code not present)
>>
>>
>> While this sounds nice and feasible the underlying tone of investing  
>> so much work into FreeRDP v1.1 was a different one.
>>
>> E.g. the fix for CVE-2018-8789 should be quick and simple. But the  
>> surrounding code is buggy to a great extent, too.
>>
>> There have been so many stabilizing code fixes over the past 1-2 years.
>>
>>
>> 2. Backporting FreeRDP v2 from buster to jessie and stretch
>> 
>>
>> Another approach, with a more stable and usable result is backporting  
>> FreeRDP v2 to jessie and stretch right away.
>>
>> Most people (I hope) are using freerdp2-x11 from stretch-backports  
>> (plus remmina from stretch-bpo) on Debian stable these days (freerdp  
>> 1.1 in stretch is broken with Windows RDP servers that are up-to-date  
>> with their patch levels).
>>
>> libfreerdp-client1.1
>>Reverse Depends: freerdp-x11 (>= 
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: libfreerdp-dbg (=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: libfreerdp-dev (=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2)
>>Reverse Depends: libxfreerdp-client1.1 (>=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2)
>>Reverse Depends: vlc (>= 2.2.7-1~deb8u1)
>> freerdp-x11
>>Reverse Depends: freerdp-x11-dbg (=  
>> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>>Reverse Depends: ltsp-client (5.5.4-4)
>>
>> So the plan could be this:
>>
>>- rebuild freerdp (v1.1) as a shared libs package only, drop  
>> freerdp-x11 (which
>>  contains the command line tool)
>>
>>- backport freerdp2 from Debian unstable to jessie/stretch
>>- backport remmina from Debian unstable to jessie/stretch
>>- rebuild vlc in jessie (and possibly stretch, too) without RDP support
>>- ltsp-client: adapt command line syntax to new FreeRDP2 cli style
>
> That sounds like a large change, especially about dropping RDP support
> from VLC... Do we have any idea about how VLC uses RDP and how many of
> our users expect that to work in the first place? How about changes in
> remmima?
>
>>- libguac-client-rdp0: leave as is... Guacamole upstream still believes in
>>  FreeRDP v1.1 shared lib API...
>
> "Believes"? I don't understand this point...
>
>> Summary
>> ---
>>
>> Before going any deeper into this, I'd love to get some feedback from  
>> the LTS and the security team about the proposed strategies. Are there  
>> other possible pathways to go? If so, please share yours.
>>
>> The FreeRDP v1.1 backporting work (8-10 hours) would have to be  
>> outsourced to ThinCast in Austria (where most FreeRDP upstream devs  
>> work these days).
>
> I don't know of any other pathways, but from what I understand we have
> some extra hours to spare, so we could allow ourselves such an expense
> to keep jessie ... "stable". :)
>
> A.
> -- 
> Dans vos mensonges de pierre
> Vous gaspillez le soleil
> - Gilles Vigneault

-- 
Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are, by
definition, not smart enough to debug it.
- Brian W. Kernighan



Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-11 Thread Mike Gabriel

Hi Moritz,

On  Mo 10 Dez 2018 22:30:34 CET, Moritz Mühlenhoff wrote:


On Mon, Dec 10, 2018 at 05:44:51PM +, Mike Gabriel wrote:

Hi,

I'd like to discuss the possible pathways for getting FreeRDP fixed in
Debian jessie LTS (and Debian stretch, too).


debian-security@ldo is not the proper contact address, I've fixed
the recipient list.


Ok. Thanks.


Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam
maintainers and the actual packager of FreeRDPv2 in Debian).

1. Looking at fixing FreeRDP v1.1 in jessie / stretch
-

He sketched up the following pathway for getting freerdp (v1.1) fixed in
Debian jessie (and stretch):


What is the impact/scope of the individual issues? The individual commit
messages are quite scarce. Are these exploitable by the server or
a connecting client or vice versa?


First of all, FreeRDP in jessie/stretch never built the FreeRDP Server  
code as it was to immature at that time.


So, let's assume that FreeRDP in jessie/stretch only acts as a client  
against a malign server.


  * CVE-2018-8786: client affected, if a malign server sends over a  
malign bitmap


  * CVE-2018-8789: unclear to me, issue in WinPR (which is the  
FreeRDP toolbox, sloppily spoken, immitating

Windows API)

  * CVE-2018-8787: client affected, if a malign server sends over a  
malign bitmap
  * CVE-2018-8788: client affected, if a malign server uses NScoded  
and sends over a malign bitmap


From my understanding the potential remote code executions that are  
mentioned in the CVE descriptions are triggered by a malign server and  
the code executions then happen on the client side.


I have Cc:ed Bernhard so that he can negate or confirm my above  
estimations (as I am not an expert for FreeRDP upstream code).


Thanks+Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpvJneVsGWQl.pgp
Description: Digitale PGP-Signatur


Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-11 Thread Antoine Beaupré
On 2018-12-10 17:44:51, Mike Gabriel wrote:
> Hi,
>
> I'd like to discuss the possible pathways for getting FreeRDP fixed in  
> Debian jessie LTS (and Debian stretch, too).
>
> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam  
> maintainers and the actual packager of FreeRDPv2 in Debian).
>
> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch
> -
>
> He sketched up the following pathway for getting freerdp (v1.1) fixed  
> in Debian jessie (and stretch):
>
>* Backport https://github.com/FreeRDP/FreeRDP/pull/4499
>  -> required for FreeRDP in jessie/stretch to be able to connect  
> to current RDP servers
> (not a security issue, but a functionality issue due to  
> Microsoft updates rolled out
> during Q1 / 2018).
>  -> estimated effort: 1-2h
>
>* CVE-2018-8785: not needed for jessie / stretch (code not present)
>
>* CVE-2018-8786,
>  CVE-2018-8789: estimated hours for all three: 1-2h
>
>* CVE-2018-8787: estimated hours: 1-2h
>* CVE-2018-8788: can be become quite an effort, estimated time: 2h++
>
>* CVE-2018-8784: not needed for jessie / stretch (code not present)
>
>
> While this sounds nice and feasible the underlying tone of investing  
> so much work into FreeRDP v1.1 was a different one.
>
> E.g. the fix for CVE-2018-8789 should be quick and simple. But the  
> surrounding code is buggy to a great extent, too.
>
> There have been so many stabilizing code fixes over the past 1-2 years.
>
>
> 2. Backporting FreeRDP v2 from buster to jessie and stretch
> 
>
> Another approach, with a more stable and usable result is backporting  
> FreeRDP v2 to jessie and stretch right away.
>
> Most people (I hope) are using freerdp2-x11 from stretch-backports  
> (plus remmina from stretch-bpo) on Debian stable these days (freerdp  
> 1.1 in stretch is broken with Windows RDP servers that are up-to-date  
> with their patch levels).
>
> libfreerdp-client1.1
>Reverse Depends: freerdp-x11 (>= 
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: libfreerdp-dbg (=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: libfreerdp-dev (=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2)
>Reverse Depends: libxfreerdp-client1.1 (>=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2)
>Reverse Depends: vlc (>= 2.2.7-1~deb8u1)
> freerdp-x11
>Reverse Depends: freerdp-x11-dbg (=  
> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
>Reverse Depends: ltsp-client (5.5.4-4)
>
> So the plan could be this:
>
>- rebuild freerdp (v1.1) as a shared libs package only, drop  
> freerdp-x11 (which
>  contains the command line tool)
>
>- backport freerdp2 from Debian unstable to jessie/stretch
>- backport remmina from Debian unstable to jessie/stretch
>- rebuild vlc in jessie (and possibly stretch, too) without RDP support
>- ltsp-client: adapt command line syntax to new FreeRDP2 cli style

That sounds like a large change, especially about dropping RDP support
from VLC... Do we have any idea about how VLC uses RDP and how many of
our users expect that to work in the first place? How about changes in
remmima?

>- libguac-client-rdp0: leave as is... Guacamole upstream still believes in
>  FreeRDP v1.1 shared lib API...

"Believes"? I don't understand this point...

> Summary
> ---
>
> Before going any deeper into this, I'd love to get some feedback from  
> the LTS and the security team about the proposed strategies. Are there  
> other possible pathways to go? If so, please share yours.
>
> The FreeRDP v1.1 backporting work (8-10 hours) would have to be  
> outsourced to ThinCast in Austria (where most FreeRDP upstream devs  
> work these days).

I don't know of any other pathways, but from what I understand we have
some extra hours to spare, so we could allow ourselves such an expense
to keep jessie ... "stable". :)

A.
-- 
Dans vos mensonges de pierre
Vous gaspillez le soleil
- Gilles Vigneault



Re: Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-10 Thread Moritz Mühlenhoff
On Mon, Dec 10, 2018 at 05:44:51PM +, Mike Gabriel wrote:
> Hi,
> 
> I'd like to discuss the possible pathways for getting FreeRDP fixed in
> Debian jessie LTS (and Debian stretch, too).

debian-security@ldo is not the proper contact address, I've fixed
the recipient list.

> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam
> maintainers and the actual packager of FreeRDPv2 in Debian).
> 
> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch
> -
> 
> He sketched up the following pathway for getting freerdp (v1.1) fixed in
> Debian jessie (and stretch):

What is the impact/scope of the individual issues? The individual commit
messages are quite scarce. Are these exploitable by the server or
a connecting client or vice versa?

Cheers,
Moritz



Addressing FreeRDP security issues in Debian jessie (and stretch)

2018-12-10 Thread Mike Gabriel

Hi,

I'd like to discuss the possible pathways for getting FreeRDP fixed in  
Debian jessie LTS (and Debian stretch, too).


Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam  
maintainers and the actual packager of FreeRDPv2 in Debian).


1. Looking at fixing FreeRDP v1.1 in jessie / stretch
-

He sketched up the following pathway for getting freerdp (v1.1) fixed  
in Debian jessie (and stretch):


  * Backport https://github.com/FreeRDP/FreeRDP/pull/4499
-> required for FreeRDP in jessie/stretch to be able to connect  
to current RDP servers
   (not a security issue, but a functionality issue due to  
Microsoft updates rolled out

   during Q1 / 2018).
-> estimated effort: 1-2h

  * CVE-2018-8785: not needed for jessie / stretch (code not present)

  * CVE-2018-8786,
CVE-2018-8789: estimated hours for all three: 1-2h

  * CVE-2018-8787: estimated hours: 1-2h
  * CVE-2018-8788: can be become quite an effort, estimated time: 2h++

  * CVE-2018-8784: not needed for jessie / stretch (code not present)


While this sounds nice and feasible the underlying tone of investing  
so much work into FreeRDP v1.1 was a different one.


E.g. the fix for CVE-2018-8789 should be quick and simple. But the  
surrounding code is buggy to a great extent, too.


There have been so many stabilizing code fixes over the past 1-2 years.


2. Backporting FreeRDP v2 from buster to jessie and stretch


Another approach, with a more stable and usable result is backporting  
FreeRDP v2 to jessie and stretch right away.


Most people (I hope) are using freerdp2-x11 from stretch-backports  
(plus remmina from stretch-bpo) on Debian stable these days (freerdp  
1.1 in stretch is broken with Windows RDP servers that are up-to-date  
with their patch levels).


libfreerdp-client1.1
  Reverse Depends: freerdp-x11 (>= 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
  Reverse Depends: libfreerdp-dbg (=  
1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)
  Reverse Depends: libfreerdp-dev (=  
1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)

  Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2)
  Reverse Depends: libxfreerdp-client1.1 (>=  
1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)

  Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2)
  Reverse Depends: vlc (>= 2.2.7-1~deb8u1)
freerdp-x11
  Reverse Depends: freerdp-x11-dbg (=  
1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1)

  Reverse Depends: ltsp-client (5.5.4-4)

So the plan could be this:

  - rebuild freerdp (v1.1) as a shared libs package only, drop  
freerdp-x11 (which

contains the command line tool)

  - backport freerdp2 from Debian unstable to jessie/stretch
  - backport remmina from Debian unstable to jessie/stretch
  - rebuild vlc in jessie (and possibly stretch, too) without RDP support
  - ltsp-client: adapt command line syntax to new FreeRDP2 cli style

  - libguac-client-rdp0: leave as is... Guacamole upstream still believes in
FreeRDP v1.1 shared lib API...

Summary
---

Before going any deeper into this, I'd love to get some feedback from  
the LTS and the security team about the proposed strategies. Are there  
other possible pathways to go? If so, please share yours.


The FreeRDP v1.1 backporting work (8-10 hours) would have to be  
outsourced to ThinCast in Austria (where most FreeRDP upstream devs  
work these days).


Looking forward to your ideas and comments,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgp9LzgYB_zPq.pgp
Description: Digitale PGP-Signatur