Source: freerdp2 Version: 2.10.0+dfsg1-1.1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.10.0+dfsg1-1
Hi, The following vulnerabilities were published for freerdp2. CVE-2023-39350[0]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. This issue affects Clients | only. Integer underflow leading to DOS (e.g. abort due to | `WINPR_ASSERT` with default compilation flags). When an insufficient | blockLen is provided, and proper length validation is not performed, | an Integer Underflow occurs, leading to a Denial of Service (DOS) | vulnerability. This issue has been addressed in versions 2.11.0 and | 3.0.0-beta3. Users are advised to upgrade. There are no known | workarounds for this vulnerability. CVE-2023-39351[1]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions of | FreeRDP are subject to a Null Pointer Dereference leading a crash in | the RemoteFX (rfx) handling. Inside the | `rfx_process_message_tileset` function, the program allocates tiles | using `rfx_allocate_tiles` for the number of numTiles. If the | initialization process of tiles is not completed for various | reasons, tiles will have a NULL pointer. Which may be accessed in | further processing and would cause a program crash. This issue has | been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised | to upgrade. There are no known workarounds for this vulnerability. CVE-2023-39352[2]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an invalid offset validation leading to Out Of Bound | Write. This can be triggered when the values `rect->left` and | `rect->top` are exactly equal to `surface->width` and | `surface->height`. eg. `rect->left` == `surface->width` && | `rect->top` == `surface->height`. In practice this should cause a | crash. This issue has been addressed in versions 2.11.0 and | 3.0.0-beta3. Users are advised to upgrade. There are no known | workarounds for this vulnerability. CVE-2023-39353[3]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to a missing offset validation leading to Out Of Bound Read. | In the `libfreerdp/codec/rfx.c` file there is no offset validation | in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As | a result crafted input can lead to an out of bounds read access | which in turn will cause a crash. This issue has been addressed in | versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There | are no known workarounds for this vulnerability. CVE-2023-39354[4]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` | function. The Out-Of-Bounds Read occurs because it processes | `context->Planes` without checking if it contains data of | sufficient length. Should an attacker be able to leverage this | vulnerability they may be able to cause a crash. This issue has been | addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to | upgrade. There are no known workarounds for this vulnerability. CVE-2023-39355[5]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Versions of FreeRDP on the | 3.x release branch before beta3 are subject to a Use-After-Free in | processing `RDPGFX_CMDID_RESETGRAPHICS` packets. If | `context->maxPlaneSize` is 0, `context->planesBuffer` will be freed. | However, without updating `context->planesBuffer`, this leads to a | Use-After-Free exploit vector. In most environments this should only | result in a crash. This issue has been addressed in version | 3.0.0-beta3 and users of the beta 3.x releases are advised to | upgrade. There are no known workarounds for this vulnerability. CVE-2023-39356[6]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. In affected versions a | missing offset validation may lead to an Out Of Bound Read in the | function `gdi_multi_opaque_rect`. In particular there is no code to | validate if the value `multi_opaque_rect->numRectangles` is less | than 45. Looping through `multi_opaque_rect->`numRectangles without | proper boundary checks can lead to Out-of-Bounds Read errors which | will likely lead to a crash. This issue has been addressed in | versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There | are no known workarounds for this vulnerability. CVE-2023-40181[7]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an Integer-Underflow leading to Out-Of-Bound Read in the | `zgfx_decompress_segment` function. In the context of `CopyMemory`, | it's possible to read data beyond the transmitted packet range and | likely cause a crash. This issue has been addressed in versions | 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no | known workarounds for this issue. CVE-2023-40186[8]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an IntegerOverflow leading to Out-Of-Bound Write | Vulnerability in the `gdi_CreateSurface` function. This issue | affects FreeRDP based clients only. FreeRDP proxies are not affected | as image decoding is not done by a proxy. This issue has been | addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to | upgrade. There are no known workarounds for this issue. CVE-2023-40188[9]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` | function. This Out-Of-Bounds Read occurs because processing is done | on the `in` variable without checking if it contains data of | sufficient length. Insufficient data for the `in` variable may cause | errors or crashes. This issue has been addressed in versions 2.11.0 | and 3.0.0-beta3. Users are advised to upgrade. There are no known | workarounds for this issue. CVE-2023-40567[10]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an Out-Of-Bounds Write in the | `clear_decompress_bands_data` function in which there is no offset | validation. Abuse of this vulnerability may lead to an out of bounds | write. This issue has been addressed in versions 2.11.0 and | 3.0.0-beta3. Users are advised to upgrade. there are no known | workarounds for this vulnerability. CVE-2023-40569[11]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. Affected versions are | subject to an Out-Of-Bounds Write in the `progressive_decompress` | function. This issue is likely down to incorrect calculations of the | `nXSrc` and `nYSrc` variables. This issue has been addressed in | versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there | are no known workarounds for this vulnerability. CVE-2023-40589[12]: | FreeRDP is a free implementation of the Remote Desktop Protocol | (RDP), released under the Apache license. In affected versions there | is a Global-Buffer-Overflow in the ncrush_decompress function. | Feeding crafted input into this function can trigger the overflow | which has only been shown to cause a crash. This issue has been | addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to | upgrade. There are no known workarounds for this issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39350 https://www.cve.org/CVERecord?id=CVE-2023-39350 [1] https://security-tracker.debian.org/tracker/CVE-2023-39351 https://www.cve.org/CVERecord?id=CVE-2023-39351 [2] https://security-tracker.debian.org/tracker/CVE-2023-39352 https://www.cve.org/CVERecord?id=CVE-2023-39352 [3] https://security-tracker.debian.org/tracker/CVE-2023-39353 https://www.cve.org/CVERecord?id=CVE-2023-39353 [4] https://security-tracker.debian.org/tracker/CVE-2023-39354 https://www.cve.org/CVERecord?id=CVE-2023-39354 [5] https://security-tracker.debian.org/tracker/CVE-2023-39355 https://www.cve.org/CVERecord?id=CVE-2023-39355 [6] https://security-tracker.debian.org/tracker/CVE-2023-39356 https://www.cve.org/CVERecord?id=CVE-2023-39356 [7] https://security-tracker.debian.org/tracker/CVE-2023-40181 https://www.cve.org/CVERecord?id=CVE-2023-40181 [8] https://security-tracker.debian.org/tracker/CVE-2023-40186 https://www.cve.org/CVERecord?id=CVE-2023-40186 [9] https://security-tracker.debian.org/tracker/CVE-2023-40188 https://www.cve.org/CVERecord?id=CVE-2023-40188 [10] https://security-tracker.debian.org/tracker/CVE-2023-40567 https://www.cve.org/CVERecord?id=CVE-2023-40567 [11] https://security-tracker.debian.org/tracker/CVE-2023-40569 https://www.cve.org/CVERecord?id=CVE-2023-40569 [12] https://security-tracker.debian.org/tracker/CVE-2023-40589 https://www.cve.org/CVERecord?id=CVE-2023-40589 Please adjust the affected versions in the BTS as needed. Regards, Salvatore