rdesktop 1.5.0 multiple remote vulnerabilities [CVE-2008-1801, -1802, -1803]

Bug #228193 reported by Till Ulen
256
Affects Status Importance Assigned to Milestone
rdesktop (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Jamie Strandboge
Feisty
Fix Released
Undecided
Jamie Strandboge
Gutsy
Fix Released
Undecided
Jamie Strandboge
Hardy
Fix Released
Undecided
Jamie Strandboge

Bug Description

Binary package hint: rdesktop

* CVE-2008-1801: iso_recv_msg() integer underflow

Description by iDefense:

"Remote exploitation of an integer underflow vulnerability in rdesktop
[...] allows attackers to execute arbitrary code with the privileges of
the logged-in user.

The vulnerability exists within the code responsible for reading in an
RDP request. When reading a request, a 16-bit integer value that
represents the number of bytes that follow is taken from the packet.
This value is then decremented by 4, and used to calculate how many
bytes to read into a heap buffer. The subtraction operation can
underflow, which will then lead to the heap buffer being overflowed."

Addressed in CVS revision 1.20 of iso.c
http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/iso.c?annotate=1.20&diff_format=h&pathrev=HEAD#l101

Original advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=696

* CVE-2008-1802: process_redirect_pdu() BSS overflow vulnerability

Description by iDefense:

"Remote exploitation of a BSS overflow vulnerability in rdesktop [...]
allows attackers to execute arbitrary code with the privileges of the
logged-in user.

The vulnerability exists within the code responsible for reading in an
RDP redirect request. This request is used to redirect an RDP
connection from one server to another. When parsing the redirect
request, the rdesktop client reads several 32-bit integers from the
request packet. These integers are then used to control the number of
bytes read into statically allocated buffers. This results in several
buffers located in the BSS section being overflowed, which can lead to
the execution of arbitrary code."

Addressed in CVS revision 1.102 of rdp.c
http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?annotate=1.102&pathrev=HEAD#l1337

Original advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=697

* CVE-2008-1803: channel_process() integer signedness vulnerability

Description by iDefense:

"Remote exploitation of an integer signedness vulnerability in rdesktop
[...] allows attackers to execute arbitrary code with the privileges of
the logged-in user.

The vulnerability exists within the code responsible for reallocating
dynamic buffers. The rdesktop xrealloc() function uses a signed
comparison to determine if the requested allocation size is less than
1. When this occurs, the function will incorrectly set the allocation
size to be 1. This results in an improperly sized heap buffer being
allocated, which can later be overflowed."

Addressed in CVS revision 1.162 of rdesktop.c
http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdesktop.c?view=diff&pathrev=HEAD&r1=text&tr1=1.162&r2=text&tr2=1.118&diff_format=h#l1134

Original advisory: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=698

Revision history for this message
Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote :

This bug has been fixed in rdesktop 1.6.0, please bump the version.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rdesktop - 1.6.0-0ubuntu1

---------------
rdesktop (1.6.0-0ubuntu1) intrepid; urgency=low

  * merge new upstream version. LP: #235160
  * new upstream fixes security issues. LP: #228193
  * replace x-dev with libx11-dev in build-depends.
  * build with alsa support. add libasound2-dev and libsamplerate to build
    dependencies. LP: #231997

 -- Reinhard Tartler <email address hidden> Tue, 27 May 2008 23:48:23 +0200

Changed in rdesktop:
status: New → Fix Released
Revision history for this message
Till Ulen (tillulen) wrote :

What about the releases before Intrepid?

Changed in rdesktop:
status: Fix Released → Fix Committed
Kees Cook (kees)
Changed in rdesktop:
status: Fix Committed → Fix Released
Changed in rdesktop:
assignee: nobody → jdstrand
status: New → Triaged
assignee: nobody → jdstrand
status: New → Triaged
assignee: nobody → jdstrand
status: New → Triaged
assignee: nobody → jdstrand
status: New → Triaged
Changed in rdesktop:
status: Triaged → Fix Committed
status: Triaged → Fix Committed
status: Triaged → Fix Committed
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rdesktop - 1.5.0-3+cvs20071006ubuntu0.1

---------------
rdesktop (1.5.0-3+cvs20071006ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: fix integer overflow in iso.c that could cause denial
    of service or possibly remote code execution
  * SECURITY UPDATE: fix buffer overflow in rdp.c that could cause allow
    remote code execution via redirect requests
  * SECURITY UPDATE: fix integer signedness error that may allow remote
    code execution via heap-based overflow
  * References
    CVE-2008-1801
    CVE-2008-1802
    CVE-2008-1803
    LP: #228193

 -- Jamie Strandboge <email address hidden> Tue, 16 Sep 2008 18:11:42 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rdesktop - 1.5.0-2ubuntu0.1

---------------
rdesktop (1.5.0-2ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: fix integer overflow in iso.c that could cause denial
    of service or possibly remote code execution
  * SECURITY UPDATE: fix buffer overflow in rdp.c that could cause allow
    remote code execution via redirect requests
  * SECURITY UPDATE: fix integer signedness error that may allow remote
    code execution via heap-based overflow
  * References
    CVE-2008-1801
    CVE-2008-1802
    CVE-2008-1803
    LP: #228193

 -- Jamie Strandboge <email address hidden> Tue, 16 Sep 2008 18:19:00 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rdesktop - 1.5.0-1ubuntu1.1

---------------
rdesktop (1.5.0-1ubuntu1.1) feisty-security; urgency=low

  * SECURITY UPDATE: fix integer overflow in iso.c that could cause denial
    of service or possibly remote code execution
  * SECURITY UPDATE: fix buffer overflow in rdp.c that could cause allow
    remote code execution via redirect requests
  * SECURITY UPDATE: fix integer signedness error that may allow remote
    code execution via heap-based overflow
  * References
    CVE-2008-1801
    CVE-2008-1802
    CVE-2008-1803
    LP: #228193

 -- Jamie Strandboge <email address hidden> Wed, 17 Sep 2008 16:00:53 -0500

Changed in rdesktop:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in rdesktop:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.