Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Hi Moritz, On Wednesday, 12 December 2018, Moritz Mühlenhoff wrote: > On Wed, Dec 12, 2018 at 03:46:10PM +, Mike Gabriel wrote: > > Hi Moritz, > > > > On Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote: > > > > > On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote: > > > > From my understanding the potential remote code executions that are > > > > mentioned in the CVE descriptions are triggered by a malign server and > > > > the > > > > code executions then happen on the client side. > > > > > > Thanks for background. > > > > > > Security issues only triggerable by a malicious RDP server are > > > low impact, a malicious RDP server can mess with you in so many > > > ways that client-side execution doesn't make a big difference. > > > > > > This is certainly not something that would warrant an upgrade to > > > freerdp2 in a stable release, but if patches for 1.1 materialise > > > they could be shipped via a point update. > > > > > > Cheers, > > > Moritz > > > > I will then look into patch backporting for LTS and upload them to stretch, > > too, once I have got them worked out. > > Ubuntu released an update earlier the day which also covered the 1.x > versions, BTW. > Nice! That will ease my day... Mike -- Sent from my Jolla
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
On Wed, Dec 12, 2018 at 03:46:10PM +, Mike Gabriel wrote: > Hi Moritz, > > On Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote: > > > On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote: > > > From my understanding the potential remote code executions that are > > > mentioned in the CVE descriptions are triggered by a malign server and the > > > code executions then happen on the client side. > > > > Thanks for background. > > > > Security issues only triggerable by a malicious RDP server are > > low impact, a malicious RDP server can mess with you in so many > > ways that client-side execution doesn't make a big difference. > > > > This is certainly not something that would warrant an upgrade to > > freerdp2 in a stable release, but if patches for 1.1 materialise > > they could be shipped via a point update. > > > > Cheers, > > Moritz > > I will then look into patch backporting for LTS and upload them to stretch, > too, once I have got them worked out. Ubuntu released an update earlier the day which also covered the 1.x versions, BTW. Cheers, Moritz
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Hi Moritz, On Di 11 Dez 2018 22:15:33 CET, Moritz Mühlenhoff wrote: On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote: From my understanding the potential remote code executions that are mentioned in the CVE descriptions are triggered by a malign server and the code executions then happen on the client side. Thanks for background. Security issues only triggerable by a malicious RDP server are low impact, a malicious RDP server can mess with you in so many ways that client-side execution doesn't make a big difference. This is certainly not something that would warrant an upgrade to freerdp2 in a stable release, but if patches for 1.1 materialise they could be shipped via a point update. Cheers, Moritz I will then look into patch backporting for LTS and upload them to stretch, too, once I have got them worked out. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpoVU8C0pNsg.pgp Description: Digitale PGP-Signatur
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
On 2018-12-11 22:15, Moritz Mühlenhoff wrote: On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote: From my understanding the potential remote code executions that are mentioned in the CVE descriptions are triggered by a malign server and the code executions then happen on the client side. Thanks for background. Security issues only triggerable by a malicious RDP server are low impact, a malicious RDP server can mess with you in so many ways that client-side execution doesn't make a big difference. That rhetoric is dangerous and false. What's next, vulnerabilities in Apache or Nginx that can trigger client-side vulnerabilities in Firefox are irrelevant, because …? -- Cheers, Jan
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
On Tue, Dec 11, 2018 at 04:42:17PM +, Mike Gabriel wrote: > From my understanding the potential remote code executions that are > mentioned in the CVE descriptions are triggered by a malign server and the > code executions then happen on the client side. Thanks for background. Security issues only triggerable by a malicious RDP server are low impact, a malicious RDP server can mess with you in so many ways that client-side execution doesn't make a big difference. This is certainly not something that would warrant an upgrade to freerdp2 in a stable release, but if patches for 1.1 materialise they could be shipped via a point update. Cheers, Moritz
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Gah. Forgot to fix the CC here as well, sorry for the noise. On 2018-12-11 10:05:53, Antoine Beaupré wrote: > On 2018-12-10 17:44:51, Mike Gabriel wrote: >> Hi, >> >> I'd like to discuss the possible pathways for getting FreeRDP fixed in >> Debian jessie LTS (and Debian stretch, too). >> >> Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam >> maintainers and the actual packager of FreeRDPv2 in Debian). >> >> 1. Looking at fixing FreeRDP v1.1 in jessie / stretch >> - >> >> He sketched up the following pathway for getting freerdp (v1.1) fixed >> in Debian jessie (and stretch): >> >>* Backport https://github.com/FreeRDP/FreeRDP/pull/4499 >> -> required for FreeRDP in jessie/stretch to be able to connect >> to current RDP servers >> (not a security issue, but a functionality issue due to >> Microsoft updates rolled out >> during Q1 / 2018). >> -> estimated effort: 1-2h >> >>* CVE-2018-8785: not needed for jessie / stretch (code not present) >> >>* CVE-2018-8786, >> CVE-2018-8789: estimated hours for all three: 1-2h >> >>* CVE-2018-8787: estimated hours: 1-2h >>* CVE-2018-8788: can be become quite an effort, estimated time: 2h++ >> >>* CVE-2018-8784: not needed for jessie / stretch (code not present) >> >> >> While this sounds nice and feasible the underlying tone of investing >> so much work into FreeRDP v1.1 was a different one. >> >> E.g. the fix for CVE-2018-8789 should be quick and simple. But the >> surrounding code is buggy to a great extent, too. >> >> There have been so many stabilizing code fixes over the past 1-2 years. >> >> >> 2. Backporting FreeRDP v2 from buster to jessie and stretch >> >> >> Another approach, with a more stable and usable result is backporting >> FreeRDP v2 to jessie and stretch right away. >> >> Most people (I hope) are using freerdp2-x11 from stretch-backports >> (plus remmina from stretch-bpo) on Debian stable these days (freerdp >> 1.1 in stretch is broken with Windows RDP servers that are up-to-date >> with their patch levels). >> >> libfreerdp-client1.1 >>Reverse Depends: freerdp-x11 (>= >> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >>Reverse Depends: libfreerdp-dbg (= >> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >>Reverse Depends: libfreerdp-dev (= >> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >>Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2) >>Reverse Depends: libxfreerdp-client1.1 (>= >> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >>Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2) >>Reverse Depends: vlc (>= 2.2.7-1~deb8u1) >> freerdp-x11 >>Reverse Depends: freerdp-x11-dbg (= >> 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >>Reverse Depends: ltsp-client (5.5.4-4) >> >> So the plan could be this: >> >>- rebuild freerdp (v1.1) as a shared libs package only, drop >> freerdp-x11 (which >> contains the command line tool) >> >>- backport freerdp2 from Debian unstable to jessie/stretch >>- backport remmina from Debian unstable to jessie/stretch >>- rebuild vlc in jessie (and possibly stretch, too) without RDP support >>- ltsp-client: adapt command line syntax to new FreeRDP2 cli style > > That sounds like a large change, especially about dropping RDP support > from VLC... Do we have any idea about how VLC uses RDP and how many of > our users expect that to work in the first place? How about changes in > remmima? > >>- libguac-client-rdp0: leave as is... Guacamole upstream still believes in >> FreeRDP v1.1 shared lib API... > > "Believes"? I don't understand this point... > >> Summary >> --- >> >> Before going any deeper into this, I'd love to get some feedback from >> the LTS and the security team about the proposed strategies. Are there >> other possible pathways to go? If so, please share yours. >> >> The FreeRDP v1.1 backporting work (8-10 hours) would have to be >> outsourced to ThinCast in Austria (where most FreeRDP upstream devs >> work these days). > > I don't know of any other pathways, but from what I understand we have > some extra hours to spare, so we could allow ourselves such an expense > to keep jessie ... "stable". :) > > A. > -- > Dans vos mensonges de pierre > Vous gaspillez le soleil > - Gilles Vigneault -- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. - Brian W. Kernighan
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
Hi Moritz, On Mo 10 Dez 2018 22:30:34 CET, Moritz Mühlenhoff wrote: On Mon, Dec 10, 2018 at 05:44:51PM +, Mike Gabriel wrote: Hi, I'd like to discuss the possible pathways for getting FreeRDP fixed in Debian jessie LTS (and Debian stretch, too). debian-security@ldo is not the proper contact address, I've fixed the recipient list. Ok. Thanks. Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam maintainers and the actual packager of FreeRDPv2 in Debian). 1. Looking at fixing FreeRDP v1.1 in jessie / stretch - He sketched up the following pathway for getting freerdp (v1.1) fixed in Debian jessie (and stretch): What is the impact/scope of the individual issues? The individual commit messages are quite scarce. Are these exploitable by the server or a connecting client or vice versa? First of all, FreeRDP in jessie/stretch never built the FreeRDP Server code as it was to immature at that time. So, let's assume that FreeRDP in jessie/stretch only acts as a client against a malign server. * CVE-2018-8786: client affected, if a malign server sends over a malign bitmap * CVE-2018-8789: unclear to me, issue in WinPR (which is the FreeRDP toolbox, sloppily spoken, immitating Windows API) * CVE-2018-8787: client affected, if a malign server sends over a malign bitmap * CVE-2018-8788: client affected, if a malign server uses NScoded and sends over a malign bitmap From my understanding the potential remote code executions that are mentioned in the CVE descriptions are triggered by a malign server and the code executions then happen on the client side. I have Cc:ed Bernhard so that he can negate or confirm my above estimations (as I am not an expert for FreeRDP upstream code). Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpvJneVsGWQl.pgp Description: Digitale PGP-Signatur
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
On 2018-12-10 17:44:51, Mike Gabriel wrote: > Hi, > > I'd like to discuss the possible pathways for getting FreeRDP fixed in > Debian jessie LTS (and Debian stretch, too). > > Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam > maintainers and the actual packager of FreeRDPv2 in Debian). > > 1. Looking at fixing FreeRDP v1.1 in jessie / stretch > - > > He sketched up the following pathway for getting freerdp (v1.1) fixed > in Debian jessie (and stretch): > >* Backport https://github.com/FreeRDP/FreeRDP/pull/4499 > -> required for FreeRDP in jessie/stretch to be able to connect > to current RDP servers > (not a security issue, but a functionality issue due to > Microsoft updates rolled out > during Q1 / 2018). > -> estimated effort: 1-2h > >* CVE-2018-8785: not needed for jessie / stretch (code not present) > >* CVE-2018-8786, > CVE-2018-8789: estimated hours for all three: 1-2h > >* CVE-2018-8787: estimated hours: 1-2h >* CVE-2018-8788: can be become quite an effort, estimated time: 2h++ > >* CVE-2018-8784: not needed for jessie / stretch (code not present) > > > While this sounds nice and feasible the underlying tone of investing > so much work into FreeRDP v1.1 was a different one. > > E.g. the fix for CVE-2018-8789 should be quick and simple. But the > surrounding code is buggy to a great extent, too. > > There have been so many stabilizing code fixes over the past 1-2 years. > > > 2. Backporting FreeRDP v2 from buster to jessie and stretch > > > Another approach, with a more stable and usable result is backporting > FreeRDP v2 to jessie and stretch right away. > > Most people (I hope) are using freerdp2-x11 from stretch-backports > (plus remmina from stretch-bpo) on Debian stable these days (freerdp > 1.1 in stretch is broken with Windows RDP servers that are up-to-date > with their patch levels). > > libfreerdp-client1.1 >Reverse Depends: freerdp-x11 (>= > 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >Reverse Depends: libfreerdp-dbg (= > 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >Reverse Depends: libfreerdp-dev (= > 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >Reverse Depends: libguac-client-rdp0 (>= 0.8.3-1+b2) >Reverse Depends: libxfreerdp-client1.1 (>= > 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >Reverse Depends: remmina-plugin-rdp (>= 1.1.1-2) >Reverse Depends: vlc (>= 2.2.7-1~deb8u1) > freerdp-x11 >Reverse Depends: freerdp-x11-dbg (= > 1.1.0~git20140921.1.440916e+dfsg1-4+deb8u1) >Reverse Depends: ltsp-client (5.5.4-4) > > So the plan could be this: > >- rebuild freerdp (v1.1) as a shared libs package only, drop > freerdp-x11 (which > contains the command line tool) > >- backport freerdp2 from Debian unstable to jessie/stretch >- backport remmina from Debian unstable to jessie/stretch >- rebuild vlc in jessie (and possibly stretch, too) without RDP support >- ltsp-client: adapt command line syntax to new FreeRDP2 cli style That sounds like a large change, especially about dropping RDP support from VLC... Do we have any idea about how VLC uses RDP and how many of our users expect that to work in the first place? How about changes in remmima? >- libguac-client-rdp0: leave as is... Guacamole upstream still believes in > FreeRDP v1.1 shared lib API... "Believes"? I don't understand this point... > Summary > --- > > Before going any deeper into this, I'd love to get some feedback from > the LTS and the security team about the proposed strategies. Are there > other possible pathways to go? If so, please share yours. > > The FreeRDP v1.1 backporting work (8-10 hours) would have to be > outsourced to ThinCast in Austria (where most FreeRDP upstream devs > work these days). I don't know of any other pathways, but from what I understand we have some extra hours to spare, so we could allow ourselves such an expense to keep jessie ... "stable". :) A. -- Dans vos mensonges de pierre Vous gaspillez le soleil - Gilles Vigneault
Re: Addressing FreeRDP security issues in Debian jessie (and stretch)
On Mon, Dec 10, 2018 at 05:44:51PM +, Mike Gabriel wrote: > Hi, > > I'd like to discuss the possible pathways for getting FreeRDP fixed in > Debian jessie LTS (and Debian stretch, too). debian-security@ldo is not the proper contact address, I've fixed the recipient list. > Last week I talked to Bernhard Miklautz (one of the FreeRDP upsteam > maintainers and the actual packager of FreeRDPv2 in Debian). > > 1. Looking at fixing FreeRDP v1.1 in jessie / stretch > - > > He sketched up the following pathway for getting freerdp (v1.1) fixed in > Debian jessie (and stretch): What is the impact/scope of the individual issues? The individual commit messages are quite scarce. Are these exploitable by the server or a connecting client or vice versa? Cheers, Moritz
