*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Kees Cook (kees):
Binary package hint: rdesktop * CVE-2008-1801: iso_recv_msg() integer underflow Description by iDefense: "Remote exploitation of an integer underflow vulnerability in rdesktop [...] allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists within the code responsible for reading in an RDP request. When reading a request, a 16-bit integer value that represents the number of bytes that follow is taken from the packet. This value is then decremented by 4, and used to calculate how many bytes to read into a heap buffer. The subtraction operation can underflow, which will then lead to the heap buffer being overflowed." Addressed in CVS revision 1.20 of iso.c http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/iso.c?annotate=1.20&diff_format=h&pathrev=HEAD#l101 Original advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696 * CVE-2008-1802: process_redirect_pdu() BSS overflow vulnerability Description by iDefense: "Remote exploitation of a BSS overflow vulnerability in rdesktop [...] allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists within the code responsible for reading in an RDP redirect request. This request is used to redirect an RDP connection from one server to another. When parsing the redirect request, the rdesktop client reads several 32-bit integers from the request packet. These integers are then used to control the number of bytes read into statically allocated buffers. This results in several buffers located in the BSS section being overflowed, which can lead to the execution of arbitrary code." Addressed in CVS revision 1.102 of rdp.c http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337 Original advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697 * CVE-2008-1803: channel_process() integer signedness vulnerability Description by iDefense: "Remote exploitation of an integer signedness vulnerability in rdesktop [...] allows attackers to execute arbitrary code with the privileges of the logged-in user. The vulnerability exists within the code responsible for reallocating dynamic buffers. The rdesktop xrealloc() function uses a signed comparison to determine if the requested allocation size is less than 1. When this occurs, the function will incorrectly set the allocation size to be 1. This results in an improperly sized heap buffer being allocated, which can later be overflowed." Addressed in CVS revision 1.162 of rdesktop.c http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdesktop.c?view=diff&pathrev=HEAD&r1=text&tr1=1.162&r2=text&tr2=1.118&diff_format=h#l1134 Original advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=698 ** Affects: rdesktop (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: rdesktop (Ubuntu Dapper) Importance: Undecided Status: New ** Affects: rdesktop (Ubuntu Feisty) Importance: Undecided Status: New ** Affects: rdesktop (Ubuntu Gutsy) Importance: Undecided Status: New ** Affects: rdesktop (Ubuntu Hardy) Importance: Undecided Status: New -- rdesktop 1.5.0 multiple remote vulnerabilities [CVE-2008-1801, -1802, -1803] https://bugs.edge.launchpad.net/bugs/228193 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
