[Xrdp-devel] xrdp - Common Vulnerabilities and Exposures

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Xrdp-devel] xrdp - Common Vulnerabilities and Exposures

Tim Lank
Xrdp development Team,

Please denote whether the following vulnerabilities and exposures are
resolved with the current cvs version (i.e. anything post v0.4.1)....

    .) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5904
        CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
        buffer overflow

    .) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5903
        CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
        remote attackers can execute arbitrary code

    .) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5902
        CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
        buffer overflow

 AV:   Access vector = Network
 AC:  Access Complexity (required attack complexity) = Low
 Au:  Authentication Required to Exploit = none
 C:  Confidentiality Impact = partial
 I:  Integrity Impact = partial
 A:  Availability Impact = partial

Thank you in advance for your assistance.

Tim Lank

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Xrdp-devel] xrdp - Common Vulnerabilities and Exposures

jsorg71
Hi Tim,

> Please denote whether the following vulnerabilities and exposures are
> resolved with the current cvs version (i.e. anything post v0.4.1)....
>
>    .) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5904
>        CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
>        buffer overflow

http://xrdp.cvs.sourceforge.net/viewvc/xrdp/xrdp/rdp/rdp_rdp.c?r1=1.9.2.1&r2=1.9.2.2
Fixed since 0.4.1.

>    .) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5903
>        CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
>        remote attackers can execute arbitrary code

This function is no longer in funcs.c.  It was moved to xrdp_bitmap.c
and there are checks now for edit_pos boundaries.

>
>    .) http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5902
>        CVSS v2 Base Score:7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
>        buffer overflow

http://xrdp.cvs.sourceforge.net/viewvc/xrdp/xrdp/xrdp/xrdp_bitmap.c?r1=1.43&r2=1.44
Fixed since 0.4.1.

Jay

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
xrdp-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/xrdp-devel