Re: [FreeRDP-devel] Build from stable-1.1 branch

[Abhishek Agarwal via FreeRDP-devel]

Hi Bernhard,

Thanks for responding.

I took a look at the changelog.

abagarwa@abagarwa-Virtual-Machine:~$ zless 
/usr/share/doc/freerdp-x11/changelog.Debian.gz  | grep CVE
    - debian/patches/CVE-2014-0791.patch: check length in
      libfreerdp/core/license.c. (CVE-2014-0791)
   + Add fix for CVE-2017-2834, CVE-2017-2835, CVE-2017-2836,
     CVE-2017-2837, CVE-2017-2838, CVE-2017-2839. (Closes: #869880).
    - debian/patches/CVE-2014-0791.patch: check length in
    - CVE-2014-0791
    - debian/patches/CVE-2017-283x.patch: fix issues in
    - CVE-2017-2834, CVE-2017-2835, CVE-2017-2836, CVE-2017-2837,
      CVE-2017-2838, CVE-2017-2839'

I don't see any patch for c.

Also looking at the package source. I still see the vulnerability there.
https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/master/libfreerdp/core/update.c

I have ported the change from master to stable-1.1 branch. The changes are 
already part of the branch. Can we release a new package for 1.1 ( I understand 
that might be a tall ask, but CVE2018-8786 is a RCE vulnerability)

~Abhishek



-----Original Message-----
From: Bernhard Miklautz <bernhard.mikla...@shacknet.at> 
Sent: Tuesday, May 21, 2019 12:26 AM
To: Abhishek Agarwal <abaga...@microsoft.com>
Cc: freerdp-devel@lists.sourceforge.net
Subject: Re: [FreeRDP-devel] Build from stable-1.1 branch

Hi,

On Mon, May 20, 2019 at 11:21:43PM +0000, Abhishek Agarwal via FreeRDP-devel 
wrote:
> We have merged PR to the stable-1.1 branch (Thanks admin, for taking a look).
> We want to use this build. I see there is a nightly build concept.
we do only have nightly (integration) builds for the master branch.

> I have quick questions around it.
>   1.  Is stable-1.1 branch also onboarded to nightly builds?
nope. Sorry.

> I don't see any "packaging" dir there
>   1.  Is there a possibility to push out a new version to official Debain 
> Package. The change was a port of a known vulnerability. It will help 
> everyone.
As far as I know the issues are already fixed in the upstream Debian 1.1 
(freerdp-x11).  package. I'd recommend you install the package and have a look 
to the Debian changelog `zless /usr/share/doc/freerdp-x11/changelog.Debian.gz`

You can find the package source on
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsalsa.debian.org%2Fdebian-remote-team%2Ffreerdp-1.1-legacy&amp;data=02%7C01%7Cabagarwa%40microsoft.com%7Cb7f0cd80c6ae4497e19f08d6ddbd8453%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636940203376011880&amp;sdata=RdVNybWTV0qsV3lIKzXWSfLMGVN%2Bc4tPkAMxm0Mc02w%3D&amp;reserved=0


Best regards,
Bernhard


_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel