GNU bug report logs - #27939
FreeRDP CVE-2017-2834 CVE-2017-2835 CVE-2017-2836 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 3 Aug 2017 22:07:01 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #22 received at 27939-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Thomas Danckaert <post <at> thomasdanckaert.be>, leo <at> famulari.name
Cc: 27939-done <at> debbugs.gnu.org
Subject: Re: bug#27939: FreeRDP CVE-2017-2834 CVE-2017-2835 CVE-2017-2836
 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839
Date: Wed, 09 Aug 2017 23:34:27 +0200

[Message part 1 (text/plain, inline)]
Thomas Danckaert <post <at> thomasdanckaert.be> writes:

> From: Leo Famulari <leo <at> famulari.name>
> Subject: Re: bug#27939: FreeRDP CVE-2017-2834 CVE-2017-2835 
> CVE-2017-2836 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839
> Date: Fri, 4 Aug 2017 10:56:15 -0400
>
>> On Fri, Aug 04, 2017 at 10:34:55AM +0200, Thomas Danckaert wrote:
>>> Unfortunately, vinagre doesn't build against freerdp 2. I'll try 
>>> to fix
>>> that, or otherwise try to backport the patches to freerdp 1.x.
>>
>> I think it should not be too hard to backport the patches if that's 
>> what
>> we need to do, but I don't have the time this week.
>
> I tried applying the patch for 
> https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c 
> to freerdp <at> 1.2.0-beta1+android9, fixed the conflicts, and came up 
> with the attached patch.  I can confirm freerdp1.2beta with this 
> patch compiles and runs, but cannot guarantee this fixes all those 
> issues, because I'm totally unfamiliar with the code (and with rdp) 
> ... is this enough to create a freerdp-1.2 package?
>
> The alternative is to downgrade to freerdp <at> 1.1, or to disable rdp 
> from vinagre.  When I first submitted these packages, I ran into 
> trouble trying to build freerdp <at> 1.1, but I don't remember exactly 
> what the problem was :).

I doubt many users of Guix use RDP, disabling it in Vinagre until it
supports the new version of FreeRDP sounds reasonable to me. Otherwise
we're effectively "forking" FreeRDP, just for Vinagre.

That said, since we have the backported patch already, I'm fine with
either approach. But we should decide soon so Vinagre works again. :-)

The patch looks good to my untrained eyes.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 338 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.