Bug#1105917: freerdp3: CVE-2025-4478
Salvatore Bonaccorso
carnil at debian.org
Thu May 22 20:09:03 BST 2025
Control: reassign -1 src:freerdp3 3.15.0+dfsg-2
Control: retitle -1 freerdp3: CVE-2025-4478
Control: forwarded -1 https://github.com/FreeRDP/FreeRDP/pull/11573
Hi,
On Sat, May 17, 2025 at 11:46:05AM +0200, Salvatore Bonaccorso wrote:
> Source: gnome-remote-desktop
> Version: 48.1-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for gnome-remote-desktop.
>
> CVE-2025-4478[0]:
> | A flaw was found in the gnome-remote-desktop used by Anaconda's
> | remote install feature, where a crafted RDP packet could trigger a
> | segmentation fault. This issue causes the service to crash and
> | remain defunct, resulting in a denial of service. It occurs pre-boot
> | and is likely due to a NULL pointer dereference. Rebooting is
> | required to recover the system.
>
> I'm not entirely sure about this one, the reference is given to the RH
> Bugzilla to [1] and it might relate to the issues reported in [2]. Do
> you happend to know more about this assignment?
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-4478
> https://www.cve.org/CVERecord?id=CVE-2025-4478
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2365232
> [2] https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196
Turns out that is actually an issue in src:freerdp3, reassigning. See
https://bugzilla.redhat.com/show_bug.cgi?id=2365232#c9
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list