USN-646-1: rdesktop vulnerabilities

18 September 2008

rdesktop vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.04 LTS
  • Ubuntu 7.10
  • Ubuntu 7.04
  • Ubuntu 6.06 LTS

Software Description

  • rdesktop

Details

It was discovered that rdesktop did not properly validate the length of packet headers when processing RDP requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1801)

Multiple buffer overflows were discovered in rdesktop when processing RDP redirect requests. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802)

It was discovered that rdesktop performed a signed integer comparison when reallocating dynamic buffers which could result in a heap-based overflow. If a user were tricked into connecting to a malicious server, an attacker could cause a denial of service or possible execute arbitrary code with the privileges of the user. (CVE-2008-1802)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04 LTS
rdesktop - 1.5.0-3+cvs20071006ubuntu0.1
Ubuntu 7.10
rdesktop - 1.5.0-2ubuntu0.1
Ubuntu 7.04
rdesktop - 1.5.0-1ubuntu1.1
Ubuntu 6.06 LTS
rdesktop - 1.4.1-1.1ubuntu0.6.06.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References