Ubuntu Security Notice USN-646-1
18th September, 2008
rdesktop vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.04 LTS
- Ubuntu 7.10
- Ubuntu 7.04
- Ubuntu 6.06 LTS
Software description
- rdesktop
Details
It was discovered that rdesktop did not properly validate the length
of packet headers when processing RDP requests. If a user were tricked
into connecting to a malicious server, an attacker could cause a
denial of service or possible execute arbitrary code with the
privileges of the user. (CVE-2008-1801)
Multiple buffer overflows were discovered in rdesktop when processing
RDP redirect requests. If a user were tricked into connecting to a
malicious server, an attacker could cause a denial of service or
possible execute arbitrary code with the privileges of the user.
(CVE-2008-1802)
It was discovered that rdesktop performed a signed integer comparison
when reallocating dynamic buffers which could result in a heap-based
overflow. If a user were tricked into connecting to a malicious
server, an attacker could cause a denial of service or possible
execute arbitrary code with the privileges of the user.
(CVE-2008-1802)
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 8.04 LTS:
- rdesktop 1.5.0-3+cvs20071006ubuntu0.1
- Ubuntu 7.10:
- rdesktop 1.5.0-2ubuntu0.1
- Ubuntu 7.04:
- rdesktop 1.5.0-1ubuntu1.1
- Ubuntu 6.06 LTS:
- rdesktop 1.4.1-1.1ubuntu0.6.06.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system upgrade is sufficient to effect the
necessary changes.