Debian Bug report logs -
#1051638
freerdp2: CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40567 CVE-2023-40569 CVE-2023-40589
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 10 Sep 2023 20:09:02 UTC
Severity: important
Tags: security, upstream
Found in versions freerdp2/2.10.0+dfsg1-1.1, freerdp2/2.10.0+dfsg1-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Remote Maintainers <debian-remote@lists.debian.org>:
Bug#1051638; Package src:freerdp2.
(Sun, 10 Sep 2023 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Remote Maintainers <debian-remote@lists.debian.org>.
(Sun, 10 Sep 2023 20:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freerdp2
Version: 2.10.0+dfsg1-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.10.0+dfsg1-1
Hi,
The following vulnerabilities were published for freerdp2.
CVE-2023-39350[0]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. This issue affects Clients
| only. Integer underflow leading to DOS (e.g. abort due to
| `WINPR_ASSERT` with default compilation flags). When an insufficient
| blockLen is provided, and proper length validation is not performed,
| an Integer Underflow occurs, leading to a Denial of Service (DOS)
| vulnerability. This issue has been addressed in versions 2.11.0 and
| 3.0.0-beta3. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
CVE-2023-39351[1]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions of
| FreeRDP are subject to a Null Pointer Dereference leading a crash in
| the RemoteFX (rfx) handling. Inside the
| `rfx_process_message_tileset` function, the program allocates tiles
| using `rfx_allocate_tiles` for the number of numTiles. If the
| initialization process of tiles is not completed for various
| reasons, tiles will have a NULL pointer. Which may be accessed in
| further processing and would cause a program crash. This issue has
| been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised
| to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39352[2]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an invalid offset validation leading to Out Of Bound
| Write. This can be triggered when the values `rect->left` and
| `rect->top` are exactly equal to `surface->width` and
| `surface->height`. eg. `rect->left` == `surface->width` &&
| `rect->top` == `surface->height`. In practice this should cause a
| crash. This issue has been addressed in versions 2.11.0 and
| 3.0.0-beta3. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
CVE-2023-39353[3]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to a missing offset validation leading to Out Of Bound Read.
| In the `libfreerdp/codec/rfx.c` file there is no offset validation
| in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As
| a result crafted input can lead to an out of bounds read access
| which in turn will cause a crash. This issue has been addressed in
| versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
| are no known workarounds for this vulnerability.
CVE-2023-39354[4]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data`
| function. The Out-Of-Bounds Read occurs because it processes
| `context->Planes` without checking if it contains data of
| sufficient length. Should an attacker be able to leverage this
| vulnerability they may be able to cause a crash. This issue has been
| addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39355[5]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Versions of FreeRDP on the
| 3.x release branch before beta3 are subject to a Use-After-Free in
| processing `RDPGFX_CMDID_RESETGRAPHICS` packets. If
| `context->maxPlaneSize` is 0, `context->planesBuffer` will be freed.
| However, without updating `context->planesBuffer`, this leads to a
| Use-After-Free exploit vector. In most environments this should only
| result in a crash. This issue has been addressed in version
| 3.0.0-beta3 and users of the beta 3.x releases are advised to
| upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39356[6]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. In affected versions a
| missing offset validation may lead to an Out Of Bound Read in the
| function `gdi_multi_opaque_rect`. In particular there is no code to
| validate if the value `multi_opaque_rect->numRectangles` is less
| than 45. Looping through `multi_opaque_rect->`numRectangles without
| proper boundary checks can lead to Out-of-Bounds Read errors which
| will likely lead to a crash. This issue has been addressed in
| versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
| are no known workarounds for this vulnerability.
CVE-2023-40181[7]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Integer-Underflow leading to Out-Of-Bound Read in the
| `zgfx_decompress_segment` function. In the context of `CopyMemory`,
| it's possible to read data beyond the transmitted packet range and
| likely cause a crash. This issue has been addressed in versions
| 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no
| known workarounds for this issue.
CVE-2023-40186[8]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an IntegerOverflow leading to Out-Of-Bound Write
| Vulnerability in the `gdi_CreateSurface` function. This issue
| affects FreeRDP based clients only. FreeRDP proxies are not affected
| as image decoding is not done by a proxy. This issue has been
| addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
| upgrade. There are no known workarounds for this issue.
CVE-2023-40188[9]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Read in the `general_LumaToYUV444`
| function. This Out-Of-Bounds Read occurs because processing is done
| on the `in` variable without checking if it contains data of
| sufficient length. Insufficient data for the `in` variable may cause
| errors or crashes. This issue has been addressed in versions 2.11.0
| and 3.0.0-beta3. Users are advised to upgrade. There are no known
| workarounds for this issue.
CVE-2023-40567[10]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Write in the
| `clear_decompress_bands_data` function in which there is no offset
| validation. Abuse of this vulnerability may lead to an out of bounds
| write. This issue has been addressed in versions 2.11.0 and
| 3.0.0-beta3. Users are advised to upgrade. there are no known
| workarounds for this vulnerability.
CVE-2023-40569[11]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Write in the `progressive_decompress`
| function. This issue is likely down to incorrect calculations of the
| `nXSrc` and `nYSrc` variables. This issue has been addressed in
| versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there
| are no known workarounds for this vulnerability.
CVE-2023-40589[12]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. In affected versions there
| is a Global-Buffer-Overflow in the ncrush_decompress function.
| Feeding crafted input into this function can trigger the overflow
| which has only been shown to cause a crash. This issue has been
| addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
| upgrade. There are no known workarounds for this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-39350
https://www.cve.org/CVERecord?id=CVE-2023-39350
[1] https://security-tracker.debian.org/tracker/CVE-2023-39351
https://www.cve.org/CVERecord?id=CVE-2023-39351
[2] https://security-tracker.debian.org/tracker/CVE-2023-39352
https://www.cve.org/CVERecord?id=CVE-2023-39352
[3] https://security-tracker.debian.org/tracker/CVE-2023-39353
https://www.cve.org/CVERecord?id=CVE-2023-39353
[4] https://security-tracker.debian.org/tracker/CVE-2023-39354
https://www.cve.org/CVERecord?id=CVE-2023-39354
[5] https://security-tracker.debian.org/tracker/CVE-2023-39355
https://www.cve.org/CVERecord?id=CVE-2023-39355
[6] https://security-tracker.debian.org/tracker/CVE-2023-39356
https://www.cve.org/CVERecord?id=CVE-2023-39356
[7] https://security-tracker.debian.org/tracker/CVE-2023-40181
https://www.cve.org/CVERecord?id=CVE-2023-40181
[8] https://security-tracker.debian.org/tracker/CVE-2023-40186
https://www.cve.org/CVERecord?id=CVE-2023-40186
[9] https://security-tracker.debian.org/tracker/CVE-2023-40188
https://www.cve.org/CVERecord?id=CVE-2023-40188
[10] https://security-tracker.debian.org/tracker/CVE-2023-40567
https://www.cve.org/CVERecord?id=CVE-2023-40567
[11] https://security-tracker.debian.org/tracker/CVE-2023-40569
https://www.cve.org/CVERecord?id=CVE-2023-40569
[12] https://security-tracker.debian.org/tracker/CVE-2023-40589
https://www.cve.org/CVERecord?id=CVE-2023-40589
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions freerdp2/2.10.0+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sun, 10 Sep 2023 20:09:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Sep 11 17:51:12 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon