[ASA-202006-15] freerdp: multiple issues

Morten Linderud foxboron at archlinux.org
Tue Jun 30 20:33:02 UTC 2020


Arch Linux Security Advisory ASA-202006-15
==========================================

Severity: High
Date    : 2020-06-28
CVE-ID  : CVE-2020-4030  CVE-2020-4031  CVE-2020-4032  CVE-2020-4033
          CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098
          CVE-2020-11099
Package : freerdp
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1193

Summary
=======

The package freerdp before version 2:2.1.2-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
==========

Upgrade to 2:2.1.2-1.

# pacman -Syu "freerdp>=2:2.1.2-1"

The problems have been fixed upstream in version 2.1.2.

Workaround
==========

None.

Description
===========

- CVE-2020-4030 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, where
logging might bypass string length checks due to an integer overflow.

- CVE-2020-4031 (arbitrary code execution)

A use-after-free vulnerability has been found in FreeRDP before 2.1.2,
in gdi_SelectObject(). Clients using compatibility mode enabled with
/relax-order-checks are affected.

- CVE-2020-4032 (information disclosure)

An integer casting vulnerability leading to an out-of-bounds read has
been found in FreeRDP before 2.1.2, in update_recv_secondary_order(),
on clients with +glyph-cache or /relax-order-checks options enabled.

- CVE-2020-4033 (information disclosure)

An out-of-bounds read of up to 4 bytes has been found in FreeRDP before
2.1.2, affecting all FreeRDP based clients with sessions with color
depth < 32.

- CVE-2020-11095 (information disclosure)

A global out-of-bounds read has been found in FreeRDP before 2.1.2, in
update_recv_primary_order.

- CVE-2020-11096 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
update_read_cache_bitmap_v3_order().

- CVE-2020-11097 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
ntlm_av_pair_get().

- CVE-2020-11098 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
glyph_cache_put. This issue only exists when glyph-cache is enabled,
which is not the case by default.

- CVE-2020-11099 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
license_read_new_or_upgrade_license_packet().

Impact
======

A remote attacker might be able to access sensitive information or
crash the application via a crafted RDP session. A malicious server, or
an attacker in position of man-in-the-middle might be able to execute
arbitrary code on the affected host.

References
==========

http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98
https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g
https://github.com/FreeRDP/FreeRDP/commit/6d86e20e1e7caaab4f0c7f89e36d32914dbccc52
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc
https://github.com/FreeRDP/FreeRDP/commit/e7bffa64ef5ed70bac94f823e2b95262642f5296
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8
https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2
https://github.com/FreeRDP/FreeRDP/commit/733ee3208306b1ea32697b356c0215180fc3f049
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x
https://github.com/FreeRDP/FreeRDP/commit/b8beb55913471952f92770c90c372139d78c16c0
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f
https://github.com/FreeRDP/FreeRDP/commit/58a3122250d54de3a944c487776bcd4d1da4721e
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv
https://github.com/FreeRDP/FreeRDP/commit/c0fd449ec0870b050d350d6d844b1ea6dad4bc7d
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h
https://github.com/FreeRDP/FreeRDP/commit/6ade7b4cbfd71c54b3d724e8f2d6ac76a58e879a
https://security.archlinux.org/CVE-2020-4030
https://security.archlinux.org/CVE-2020-4031
https://security.archlinux.org/CVE-2020-4032
https://security.archlinux.org/CVE-2020-4033
https://security.archlinux.org/CVE-2020-11095
https://security.archlinux.org/CVE-2020-11096
https://security.archlinux.org/CVE-2020-11097
https://security.archlinux.org/CVE-2020-11098
https://security.archlinux.org/CVE-2020-11099
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20200630/09e79bec/attachment-0001.sig>


More information about the arch-security mailing list