[Git][security-tracker-team/security-tracker][master] CVE-2023-40188/freerdp2: notes on ghsa inconsistencies
Sylvain Beucler (@beuc)
beuc at debian.org
Fri Dec 1 09:16:10 GMT 2023
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e4158ee1 by Sylvain Beucler at 2023-12-01T10:15:50+01:00
CVE-2023-40188/freerdp2: notes on ghsa inconsistencies
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -14856,7 +14856,12 @@ CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol
[bookworm] - freerdp2 <no-dsa> (Minor issue)
[bullseye] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq
+ NOTE: Upstream reported the following fix through https://salsa.debian.org/-/snippets/662:
NOTE: https://github.com/FreeRDP/FreeRDP/commit/bdb3909a7713fb0b3d94c9676fe44d19de80eb4b (2.11.0)
+ NOTE: But, the advisory is inconsistent: it references 'general_LumaToYUV444' and 'in', while the code
+ NOTE: excerpt and stack trace (which is strikingly similar to CVE-2023-39354) are focused on 'rsc_rle_decode'.
+ NOTE: The commit bdb3909a above looks unrelated. Ubuntu used one of CVE-2023-39354's patches:
+ NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0)
CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
- freerdp2 <not-affected> (Vulnerable code introduced in 3.0.0-beta1)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pwf9-v5p9-ch4f
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4158ee1b0ca78e10923a10af742773779ab6dde
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4158ee1b0ca78e10923a10af742773779ab6dde
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231201/219370fd/attachment.htm>
More information about the debian-security-tracker-commits
mailing list