Control: retitle -1 bookworm-pu: package freerdp2/2.11.7+dfsg1-6~deb12u1
Control: tags -1 -moreinfo
Dear Release Team,
Attached is a full source diff.
I'm moving the target version to 2.11.7, as packaged previously as
2.11.7+dfsg1-6 as new CVEs were discovered and fixed with this version.
Since 2.10.0+dfsg1-1, the version currently in stable, those CVEs will
be fixed with the 2.11.7+dfsg1-6:Â
CVE-2024-32661 CVE-2024-32660 CVE-2024-32659 CVE-2024-32658
CVE-2024-32460 CVE-2024-32459 CVE-2024-32458 CVE-2024-32041
CVE-2024-32040 CVE-2024-32039 CVE-2024-22211 CVE-2023-40589
CVE-2023-40569 CVE-2023-40188 CVE-2023-40186 CVE-2023-40181
CVE-2023-39356 CVE-2023-39354 CVE-2023-39353 CVE-2023-39352
CVE-2023-39351 CVE-2023-39350
As said in the initial mail:Â
Backporting the fixes is of course possible, but bears a significant
risk for regression, therefor I would prefer to use the new upstream
version, given also that upstream changes are only a few and fixing also
a few bugs that would be nice to be fixed.
As far as I understood it, the maintainers would also prefer the new
version over patching the one in stable. (They are in CC, so can
intervene if I got that wrongâŠ)
The version 2.11.7 has been in unstable since 2024-07-15, in testing
since 2024-10-07, so the new upstream version has been seen some
testing. (it now has been removed from unstable for freerdp3, #1090342)
Looking at the BTS I don't see reported regressions as well.
It seems to me that the 2.x series only get (significant) bug fixes and
security updates; new features seems only to go into FreeRDP 3.x.
To assess the risks, I did an extensive triage of the changes, looking
at the actual git commits in the version range; (this seems to confirm
that 2.x only gets fixes and security updates)
Triaging upstream changes:
2.10.0 -> 2.11.0 is the most significant changeset with 52 commits, see
below.
2.11.x (upstream branch stable-2.0) seems to be focusing on bugfixes and
security fixes. Looking at the upstream changelog [1]:
[1] https://github.com/FreeRDP/FreeRDP/blob/stable-2.0/ChangeLog
I see forÂ
- 2.11.7 [2] just fixes, including one potential out of bound read.
should fix: CVE-2024-32658 to 60.
- 2.11.6 [3] is targeting CVE-2024-32039 to 41, CVE-2024-32458 to 60
(out of bound reads, Integer overflow) and a bugfix backported fromÂ
3.5.0 (upstream PR#[10077], which are adding additional input lenght
 checks and fix an integer overflow)
- 2.11.5 [4] another integer overflow, previnting deref of NULL, and a
compatiblity fix for newer OpenSSL [4a], with an version guard for
 OpenSSL >3, so I guess we want this fix too.
via security tracker: CVE-2024-22211
- 2.11.4 [5] is a FTBFS fix of 2.11.3, sinlge important commit.
- 2.11.3 [6] is a version that have more noteworthy changes:
("->" are my comments)
* Disabled windows MEDIA FOUNDATION h264 decoder due to reported
issues (#9469)
-> this is Windows only.
* Fix issues with drive redirection (#9530,9554, #9586, #9617)
-> bugfix to fix several error cases when connectingÂ
(upstream issue #9506 explains the context)
* Use endian safe ICU string converter (#9631)
-> fix for issue observed on big-endian machines, introduced with
 2.11.0, upstream bug #9616)
* Improve AAC support (#9577)
-> bugfixes the AAC encoder, when a ffmpeg conversion yields NaN orÂ
infinity. Details upstream bug #9576.
* Fix swiss german keyboard layout (#9560)
-> bugfix for not encoding umlauts correctly. (details upstream
bug #9560)
* Enable rfx-mode:image (#9428)
-> bugfix for rfx-mode:image (details upstream bug #9425)
There seems to be more smaller commits that aid to improve
compatiblity or avoid race conditions ( e.g message order.)
I'd say those are bugfixes. One change is a small feature to
remember audio volume when reconnecting, I could imagine that could
save a few eardrums :))
- 2.11.2 [7] has two changes, both backported from FreeRDP3
- more robus OpenSSL certificate hash algorithm detection. [7a]
- regression fix, bug introduced with 2.11.1 (upstream issue #9377)
[7b]
- 2.11.1 [8] single change, bugfix see [8a],
Regression fix for CVE-2023-39356
- 2.11.0 [9] is the biggest changeset:
Noteworthy changes:
* Various input validation fixes
* Added various CMake options #9317
-> refactoring of CMakeLists.txt, should not have an effect on the
 build results.
* LibreSSL build fixes #8709
-> fix only for LibreSSL. (gated by #if .. #endif)
Fixed issues:
* Backported #9233: Big endian support
-> bugfix
* Backported #9099: Mouse grabbing support
-> PR title: mouse move restrict, seems feature related to mouse
 grabbing.
* Backported #6851: wayland scrolling fix
-> bugfix for wayland.
* Backported #8690: Update h264 to use new FFMPEG API
-> add #if-guards against FFPEG version, to use h264 api on new
 enough ffmpeg (>59.18.100), which is not the case on stable.
(LIBAVUTIL_VERSION_MAJOR is 57 on my bookworm VM)
* Backported #7306: early bail from update_read_window_state_order
breaks protocol
-> bugfix.
* Backported #8903: rdpecam/server: Remove wrong assertion
-> bugfix, avoids crash when asserts are enabled.
* Backported #8994: bounds checks for gdi/gfx rectangles
-> bugfix, potential security impact.
* Backported #9023: enforce rdpdr client side state checks
-> bugfix
* Backported #6331: deactivate mouse grabbing by default
-> support command line option "grab-mouse"
* Cherry-pick out of #9172: channels/cliprdr: Fix writing incorrect
PDU type for unlock PDUs
-> bugfix, cherry-picked from FreeRDP3.
according to the security-tracker 2.11.0 fixes:
CVE-2023-39350 to 54, CVE-2023-39356, CVE-2023-40181, CVE-2023-40186
CVE-2023-40188, CVE-2023-40567, CVE-2023-40569, CVE-2023-40589
[2] https://github.com/FreeRDP/FreeRDP/compare/2.11.6...2.11.7
[3] https://github.com/FreeRDP/FreeRDP/compare/2.11.5...2.11.6
[4] https://github.com/FreeRDP/FreeRDP/compare/2.11.4...2.11.5
[4a] https://github.com/FreeRDP/FreeRDP/commit/d3f62748c6662ce03
[5] https://github.com/FreeRDP/FreeRDP/compare/2.11.3...2.11.4
namely: https://github.com/FreeRDP/FreeRDP/commit/52663d581cb
[6] https://github.com/FreeRDP/FreeRDP/compare/2.11.2...2.11.3
[7] https://github.com/FreeRDP/FreeRDP/compare/2.11.1...2.11.2
[7a] https://github.com/FreeRDP/FreeRDP/commit/e93433fb21231db
[7b] https://github.com/FreeRDP/FreeRDP/commit/0472543b019d01280
[8] https://github.com/FreeRDP/FreeRDP/compare/2.11.0...2.11.1
[8a] https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c1
[9]https://github.com/FreeRDP/FreeRDP/compare/2.10.0...2.11.0
[10077] https://github.com/FreeRDP/FreeRDP/pull/10077/commits
Debian packaging changes:
The proposed packaging is based on the last version from testing,
2.11.7+dfsg1-6, but reverting the changes for:
- t64 changes
- turning off Keberos support, as it was not available in bookworm as
well.
- Using pkg-config instead of pkgconf, as the current bookworm package
does.
- not applying the ffmpeg7 compatibility patch, as its not needed for
 bookworm.
A diff generated by git diff debian/2.11.7+dfsg1-6 is attached as
"freerdp2-debian.diff" to show the changes compared to said testing
version. (The git repo is at: [10], branch "debian/bookworm-WIP-tobi"
[10] https://salsa.debian.org/lts-team/packages/freerdp2
Compared to upstream 2.11.7, there are some additional patches
in the Debian package to fix some FTBFS to to type mismatches.
They could theoretically be dropped, but do not do harm either.
Testing
I've tested the package against a Windows 10 VM, both as RDP client and
server, using gnome's RDP facility, also testing with remmina and
vinagre and the testing I've done so far did not show any regressions.
Cheers,
tobi