Overview

File _patchinfo of Package patchinfo.10461

<patchinfo incident="10461">
  <issue tracker="bnc" id="1117966">VUL-0: CVE-2018-8786: freerdp: Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in a memory corruption and probably even a remot</issue>
  <issue tracker="bnc" id="1117967">VUL-0: CVE-2018-8785: freerdp:  a Heap-Based Buffer Overflow in function zgfx_decompress() that results in a memory corruption and probably even a remote code execution.</issue>
  <issue tracker="bnc" id="1117964">VUL-0: CVE-2018-8787: freerdp:  Integer Overflow that leads to a Heap-Based Buffer Overflow in function gdi_Bitmap_Decompress() and results in a memory corruption and probably even a remote code</issue>
  <issue tracker="bnc" id="1103557">xfreerdp crashes due to double free'd memory</issue>
  <issue tracker="bnc" id="1116708">VUL-0: CVE-2018-8784: freerdp: Heap-Based Buffer Overflow in function zgfx_decompress_segment() that results in a memory corruption and probably even a remote code execution.</issue>
  <issue tracker="bnc" id="1117965">VUL-0: CVE-2018-8789: freerdp:  several Out-Of-Bounds Reads in the NTLM Authentication module that results in a Denial of Service (segfault).</issue>
  <issue tracker="bnc" id="1112028">Remmina does not connect to remote server (works on Mac OS X and with latest Remmina (flatpak)</issue>
  <issue tracker="bnc" id="1085416">FreeRDP/Remmina can not connect to Windows 7-10 with March 2018 updates</issue>
  <issue tracker="bnc" id="1117963">VUL-0: CVE-2018-8788: freerdp:  Out-Of-Bounds Write of up to 4 bytes in function nsc_rle_decode() that results in a memory corruption and possibly even a remote code execution.</issue>
  <issue tracker="bnc" id="1120507">VUL-0: CVE-2018-1000852: freerdp: out of bounds read in drdynvc_process_capability_request</issue>
  <issue tracker="bnc" id="1087240">SLE FreeRDP broken following Windows updates.</issue>
  <issue tracker="bnc" id="1104918">clone bug: SLE12 SP3 PTF for SLE FreeRDP broken following Windows updates.</issue>
  <issue tracker="cve" id="2018-0886"/>
  <issue tracker="cve" id="2018-8788"/>
  <issue tracker="cve" id="2018-8789"/>
  <issue tracker="cve" id="2018-1000852"/>
  <issue tracker="cve" id="2018-8784"/>
  <issue tracker="cve" id="2018-8785"/>
  <issue tracker="cve" id="2018-8786"/>
  <issue tracker="cve" id="2018-8787"/>
  <issue tracker="fate" id="326739"/>
  <category>security</category>
  <rating>important</rating>
  <packager>zhangxiaofei</packager>
  <description>This update for freerdp to version 2.0.0~rc4 fixes the following issues:

Security issues fixed:

- CVE-2018-0886: Fix a remote code execution vulnerability (CredSSP) (bsc#1085416, bsc#1087240, bsc#1104918)
- CVE-2018-8789: Fix several denial of service vulnerabilities in the in the NTLM Authentication module (bsc#1117965)
- CVE-2018-8785: Fix a potential remote code execution vulnerability in the zgfx_decompress function (bsc#1117967)
- CVE-2018-8786: Fix a potential remote code execution vulnerability in the update_read_bitmap_update function (bsc#1117966)
- CVE-2018-8787: Fix a potential remote code execution vulnerability in the gdi_Bitmap_Decompress function (bsc#1117964)
- CVE-2018-8788: Fix a potential remote code execution vulnerability in the nsc_rle_decode function (bsc#1117963)
- CVE-2018-8784: Fix a potential remote code execution vulnerability in the zgfx_decompress_segment function (bsc#1116708)
- CVE-2018-1000852: Fixed a remote memory access in the drdynvc_process_capability_request function (bsc#1120507)

Other issues:

- Upgraded to version 2.0.0-rc4 (FATE#326739)
- Security and stability improvements, including bsc#1103557 and bsc#1112028
- gateway: multiple fixes and improvements
- client/X11: support for rail (remote app) icons was added
- The licensing code was re-worked: Per-device licenses are now saved on the
  client and used on re-connect:        
      WARNING: this is a change in FreeRDP behavior regarding licensing. If the old
      behavior is required, or no licenses should be saved use the
      new command line option +old-license (gh#/FreeRDP/FreeRDP#4979)
- Improved order handling -  only orders that were enable  during capability exchange are accepted.
      WARNING and NOTE: some servers do improperly send orders that weren't negotiated,
      for such cases the new command line option /relax-order-checks was added to
      disable the strict order checking. If connecting to xrdp the options
      /relax-order-checks *and* +glyph-cache are required. (gh#/FreeRDP/FreeRDP#4926)
- Fixed automount issues
- Fixed several audio and microphone related issues
- Fixed X11 Right-Ctrl ungrab feature
- Fixed race condition in rdpsnd channel server.
- Disabled SSE2 for ARM and powerpc
</description>
  <summary>Security update for freerdp</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places