[Git][security-tracker-team/security-tracker][master] CVE-2023-39354,CVE-2023-40188: clarify context and commits
Sylvain Beucler (@beuc)
beuc at debian.org
Mon Jan 15 16:50:50 GMT 2024
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8fb6ecdc by Sylvain Beucler at 2024-01-15T17:50:28+01:00
CVE-2023-39354,CVE-2023-40188: clarify context and commits
DLA-3606-1 incorporated the 2 patches, no changes.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -23305,7 +23305,6 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol
[bullseye] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6
NOTE: https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def (2.11.0)
- NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0)
CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
@@ -23542,11 +23541,8 @@ CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol
[bookworm] - freerdp2 <no-dsa> (Minor issue)
[bullseye] - freerdp2 <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq
- NOTE: Upstream reported the following fix through https://salsa.debian.org/-/snippets/662:
- NOTE: https://github.com/FreeRDP/FreeRDP/commit/bdb3909a7713fb0b3d94c9676fe44d19de80eb4b (2.11.0)
- NOTE: But, the advisory is inconsistent: it references 'general_LumaToYUV444' and 'in', while the code
- NOTE: excerpt and stack trace (which is strikingly similar to CVE-2023-39354) are focused on 'rsc_rle_decode'.
- NOTE: The commit bdb3909a above looks unrelated. Ubuntu used one of CVE-2023-39354's patches:
+ NOTE: Upstream mentioned on #freerdp that the advisory title/summary
+ NOTE: should reference `nsc_rle_decode` instead of `general_LumaToYUV444`.
NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0)
CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
- freerdp2 <not-affected> (Vulnerable code introduced in 3.0.0-beta1)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb6ecdcdf2e087a134ec90edfa21c17507e85f1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb6ecdcdf2e087a134ec90edfa21c17507e85f1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240115/08de435e/attachment.htm>
More information about the debian-security-tracker-commits
mailing list