bug#27939: FreeRDP CVE-2017-2834 CVE-2017-2835 CVE-2017-2836 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839

[Marius Bakke]

Thomas Danckaert <address@hidden> writes:

> From: Leo Famulari <address@hidden>
> Subject: Re: bug#27939: FreeRDP CVE-2017-2834 CVE-2017-2835 
> CVE-2017-2836 CVE-2017-2837 CVE-2017-2838 CVE-2017-2839
> Date: Fri, 4 Aug 2017 10:56:15 -0400
>
>> On Fri, Aug 04, 2017 at 10:34:55AM +0200, Thomas Danckaert wrote:
>>> Unfortunately, vinagre doesn't build against freerdp 2. I'll try 
>>> to fix
>>> that, or otherwise try to backport the patches to freerdp 1.x.
>>
>> I think it should not be too hard to backport the patches if that's 
>> what
>> we need to do, but I don't have the time this week.
>
> I tried applying the patch for 
> https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c
>  
> to address@hidden, fixed the conflicts, and came up 
> with the attached patch.  I can confirm freerdp1.2beta with this 
> patch compiles and runs, but cannot guarantee this fixes all those 
> issues, because I'm totally unfamiliar with the code (and with rdp) 
> ... is this enough to create a freerdp-1.2 package?
>
> The alternative is to downgrade to address@hidden, or to disable rdp 
> from vinagre.  When I first submitted these packages, I ran into 
> trouble trying to build address@hidden, but I don't remember exactly 
> what the problem was :).

I doubt many users of Guix use RDP, disabling it in Vinagre until it
supports the new version of FreeRDP sounds reasonable to me. Otherwise
we're effectively "forking" FreeRDP, just for Vinagre.

That said, since we have the backported patch already, I'm fine with
either approach. But we should decide soon so Vinagre works again. :-)

The patch looks good to my untrained eyes.

signature.asc
Description: PGP signature