[Git][security-tracker-team/security-tracker][master] CVE-2023-39354,CVE-2023-40188: clarify context and commits

Sylvain Beucler (@beuc) beuc at debian.org
Mon Jan 15 16:50:50 GMT 2024


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8fb6ecdc by Sylvain Beucler at 2024-01-15T17:50:28+01:00
CVE-2023-39354,CVE-2023-40188: clarify context and commits

DLA-3606-1 incorporated the 2 patches, no changes.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -23305,7 +23305,6 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def (2.11.0)
-	NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0)
 CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
 	{DLA-3606-1}
 	- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
@@ -23542,11 +23541,8 @@ CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol
 	[bookworm] - freerdp2 <no-dsa> (Minor issue)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq
-	NOTE: Upstream reported the following fix through https://salsa.debian.org/-/snippets/662:
-	NOTE: https://github.com/FreeRDP/FreeRDP/commit/bdb3909a7713fb0b3d94c9676fe44d19de80eb4b (2.11.0)
-	NOTE: But, the advisory is inconsistent: it references 'general_LumaToYUV444' and 'in', while the code
-	NOTE: excerpt and stack trace (which is strikingly similar to CVE-2023-39354) are focused on 'rsc_rle_decode'.
-	NOTE: The commit bdb3909a above looks unrelated. Ubuntu used one of CVE-2023-39354's patches:
+	NOTE: Upstream mentioned on #freerdp that the advisory title/summary
+	NOTE: should reference `nsc_rle_decode` instead of `general_LumaToYUV444`.
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0)
 CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
 	- freerdp2 <not-affected> (Vulnerable code introduced in 3.0.0-beta1)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb6ecdcdf2e087a134ec90edfa21c17507e85f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb6ecdcdf2e087a134ec90edfa21c17507e85f1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240115/08de435e/attachment.htm>


More information about the debian-security-tracker-commits mailing list