Are known security vulnerabilities in FreeRDP relevant to Guaucamole?

[JonVol <jo...@gmail.com>]

Hello,

There are currently 4 known vulnerabilities in FreeRDP, some of them with a
high CVSS score (7.0 and above). The common to all is that they are
affecting FreeRDP version 1.0.2. Unfortunately, this seems to be the latest
version of FreeRDP marked as a stable release. I am reluctant to use a later
beta version.
Could someone tell if these vulnerabilities are at all relevant to
Guacamole? Are they affecting FreeRDP functionality that Guacamole uses?

CVE-2014-0791
 – in FreeRDP 1.0.2
Integer overflow in the license_read_scope_list function in
libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers
to cause a denial of service (application crash) or possibly have
unspecified other impact via a large ScopeCount value in a Scope List in a
Server License Request packet.

CVE-2014-0250
 – in FreeRDP 1.0.2, 1.0.1, 1.0.0
Multiple integer overflows in client/X11/xf_graphics.c in FreeRDP allow
remote attackers to have an unspecified impact via the width and height to
the (1) xf_Pointer_New or (2) xf_Bitmap_Decompress function, which causes an
incorrect amount of memory to be allocated.

CVE-2013-4119
 – in FreeRDP 1.0.2
FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) by
disconnecting before authentication has finished.

CVE-2013-4118
 – in FreeRDP 1.0.2
FreeRDP before 1.1.0-beta1 allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via unspecified
vectors.

Thanks,
JonVol




--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Are-known-security-vulnerabilities-in-FreeRDP-relevant-to-Guaucamole-tp1388.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.