--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: freerdp2: CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40567 CVE-2023-40569 CVE-2023-40589
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 10 Sep 2023 22:05:39 +0200
- Message-id: <169437633931.367302.18394659860436143955.reportbug@eldamar.lan>
Source: freerdp2
Version: 2.10.0+dfsg1-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.10.0+dfsg1-1
Hi,
The following vulnerabilities were published for freerdp2.
CVE-2023-39350[0]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. This issue affects Clients
| only. Integer underflow leading to DOS (e.g. abort due to
| `WINPR_ASSERT` with default compilation flags). When an insufficient
| blockLen is provided, and proper length validation is not performed,
| an Integer Underflow occurs, leading to a Denial of Service (DOS)
| vulnerability. This issue has been addressed in versions 2.11.0 and
| 3.0.0-beta3. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
CVE-2023-39351[1]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions of
| FreeRDP are subject to a Null Pointer Dereference leading a crash in
| the RemoteFX (rfx) handling. Inside the
| `rfx_process_message_tileset` function, the program allocates tiles
| using `rfx_allocate_tiles` for the number of numTiles. If the
| initialization process of tiles is not completed for various
| reasons, tiles will have a NULL pointer. Which may be accessed in
| further processing and would cause a program crash. This issue has
| been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised
| to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39352[2]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an invalid offset validation leading to Out Of Bound
| Write. This can be triggered when the values `rect->left` and
| `rect->top` are exactly equal to `surface->width` and
| `surface->height`. eg. `rect->left` == `surface->width` &&
| `rect->top` == `surface->height`. In practice this should cause a
| crash. This issue has been addressed in versions 2.11.0 and
| 3.0.0-beta3. Users are advised to upgrade. There are no known
| workarounds for this vulnerability.
CVE-2023-39353[3]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to a missing offset validation leading to Out Of Bound Read.
| In the `libfreerdp/codec/rfx.c` file there is no offset validation
| in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As
| a result crafted input can lead to an out of bounds read access
| which in turn will cause a crash. This issue has been addressed in
| versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
| are no known workarounds for this vulnerability.
CVE-2023-39354[4]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data`
| function. The Out-Of-Bounds Read occurs because it processes
| `context->Planes` without checking if it contains data of
| sufficient length. Should an attacker be able to leverage this
| vulnerability they may be able to cause a crash. This issue has been
| addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39355[5]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Versions of FreeRDP on the
| 3.x release branch before beta3 are subject to a Use-After-Free in
| processing `RDPGFX_CMDID_RESETGRAPHICS` packets. If
| `context->maxPlaneSize` is 0, `context->planesBuffer` will be freed.
| However, without updating `context->planesBuffer`, this leads to a
| Use-After-Free exploit vector. In most environments this should only
| result in a crash. This issue has been addressed in version
| 3.0.0-beta3 and users of the beta 3.x releases are advised to
| upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39356[6]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. In affected versions a
| missing offset validation may lead to an Out Of Bound Read in the
| function `gdi_multi_opaque_rect`. In particular there is no code to
| validate if the value `multi_opaque_rect->numRectangles` is less
| than 45. Looping through `multi_opaque_rect->`numRectangles without
| proper boundary checks can lead to Out-of-Bounds Read errors which
| will likely lead to a crash. This issue has been addressed in
| versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There
| are no known workarounds for this vulnerability.
CVE-2023-40181[7]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Integer-Underflow leading to Out-Of-Bound Read in the
| `zgfx_decompress_segment` function. In the context of `CopyMemory`,
| it's possible to read data beyond the transmitted packet range and
| likely cause a crash. This issue has been addressed in versions
| 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no
| known workarounds for this issue.
CVE-2023-40186[8]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an IntegerOverflow leading to Out-Of-Bound Write
| Vulnerability in the `gdi_CreateSurface` function. This issue
| affects FreeRDP based clients only. FreeRDP proxies are not affected
| as image decoding is not done by a proxy. This issue has been
| addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
| upgrade. There are no known workarounds for this issue.
CVE-2023-40188[9]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Read in the `general_LumaToYUV444`
| function. This Out-Of-Bounds Read occurs because processing is done
| on the `in` variable without checking if it contains data of
| sufficient length. Insufficient data for the `in` variable may cause
| errors or crashes. This issue has been addressed in versions 2.11.0
| and 3.0.0-beta3. Users are advised to upgrade. There are no known
| workarounds for this issue.
CVE-2023-40567[10]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Write in the
| `clear_decompress_bands_data` function in which there is no offset
| validation. Abuse of this vulnerability may lead to an out of bounds
| write. This issue has been addressed in versions 2.11.0 and
| 3.0.0-beta3. Users are advised to upgrade. there are no known
| workarounds for this vulnerability.
CVE-2023-40569[11]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. Affected versions are
| subject to an Out-Of-Bounds Write in the `progressive_decompress`
| function. This issue is likely down to incorrect calculations of the
| `nXSrc` and `nYSrc` variables. This issue has been addressed in
| versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there
| are no known workarounds for this vulnerability.
CVE-2023-40589[12]:
| FreeRDP is a free implementation of the Remote Desktop Protocol
| (RDP), released under the Apache license. In affected versions there
| is a Global-Buffer-Overflow in the ncrush_decompress function.
| Feeding crafted input into this function can trigger the overflow
| which has only been shown to cause a crash. This issue has been
| addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to
| upgrade. There are no known workarounds for this issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-39350
https://www.cve.org/CVERecord?id=CVE-2023-39350
[1] https://security-tracker.debian.org/tracker/CVE-2023-39351
https://www.cve.org/CVERecord?id=CVE-2023-39351
[2] https://security-tracker.debian.org/tracker/CVE-2023-39352
https://www.cve.org/CVERecord?id=CVE-2023-39352
[3] https://security-tracker.debian.org/tracker/CVE-2023-39353
https://www.cve.org/CVERecord?id=CVE-2023-39353
[4] https://security-tracker.debian.org/tracker/CVE-2023-39354
https://www.cve.org/CVERecord?id=CVE-2023-39354
[5] https://security-tracker.debian.org/tracker/CVE-2023-39355
https://www.cve.org/CVERecord?id=CVE-2023-39355
[6] https://security-tracker.debian.org/tracker/CVE-2023-39356
https://www.cve.org/CVERecord?id=CVE-2023-39356
[7] https://security-tracker.debian.org/tracker/CVE-2023-40181
https://www.cve.org/CVERecord?id=CVE-2023-40181
[8] https://security-tracker.debian.org/tracker/CVE-2023-40186
https://www.cve.org/CVERecord?id=CVE-2023-40186
[9] https://security-tracker.debian.org/tracker/CVE-2023-40188
https://www.cve.org/CVERecord?id=CVE-2023-40188
[10] https://security-tracker.debian.org/tracker/CVE-2023-40567
https://www.cve.org/CVERecord?id=CVE-2023-40567
[11] https://security-tracker.debian.org/tracker/CVE-2023-40569
https://www.cve.org/CVERecord?id=CVE-2023-40569
[12] https://security-tracker.debian.org/tracker/CVE-2023-40589
https://www.cve.org/CVERecord?id=CVE-2023-40589
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: freerdp2
Source-Version: 2.11.2+dfsg1-1
Done: Mike Gabriel <sunweaver@debian.org>
We believe that the bug you reported is fixed in the latest version of
freerdp2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1051638@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated freerdp2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 01 Oct 2023 23:21:15 +0200
Source: freerdp2
Architecture: source
Version: 2.11.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1036095 1051638 1053317
Changes:
freerdp2 (2.11.2+dfsg1-1) unstable; urgency=medium
.
* New upstream release. (Closes: #1051638).
* Fixed security issues since v2.11.0:
- CVE-2023-40589: [codec,ncrush] fix index checks properly verify all
offsets while decoding data.
- CVE-2023-40567: Fix out-of-bounds write in the
`clear_decompress_bands_data` function.
- CVE-2023-40188: Fix out-of-bounds read in the `general_LumaToYUV444`
function.
- CVE-2023-40186: Fix out-of-bounds write in the `gdi_CreateSurface`
function.
- CVE-2023-40181: Fix out-of-bounds read in the `zgfx_decompress_segment`
function.
- CVE-2023-39356: Fix out-of-bounds read in the `gdi_multi_opaque_rect`
function.
- CVE-2023-39355: Fix use-after-free in processing
`RDPGFX_CMDID_RESETGRAPHICS` packets.
- CVE-2023-39354: Fix out-of-bounds read in the `nsc_rle_decompress_data`
function.
- CVE-2023-39353: Fix missing offset validation leading to out-of-bounds
read in the `libfreerdp/codec/rfx.c` file.
- CVE-2023-39352: Fix invalid offset validation leading to out-of-bounds
write.
- CVE-2023-39351: Fix null-pointer-dereference leading a crash in the
RemoteFX (rfx) handling.
- CVE-2023-39350: Fix integer underflow leading to DOS (e.g. abort due to
`WINPR_ASSERT` with default compilation flags).
* debian/patches:
+ Drop 0001_fix_ftbfs_1041377.patch. Applied upstream.
* debian/control:
+ Add B-D: libkrb5-dev.
* debian/rules:
+ Add -DWITH_KERBEROS=ON configure option. (Closes: #1036095).
* debian/watch:
+ Rework file. Find all released versions of freerdp2. (Closes: #1053317).
Thanks to Tobias Frost for sending a patch.
Checksums-Sha1:
5149ac5e5a560614408c8664f06d2d7bf3b5ecf3 3518 freerdp2_2.11.2+dfsg1-1.dsc
262a5ff14bf3e2a03b2529c9d5962414554c288c 2268824 freerdp2_2.11.2+dfsg1.orig.tar.xz
59e18560fd7f0c18cb0fdcb3cdd472cfb0d88c60 44784 freerdp2_2.11.2+dfsg1-1.debian.tar.xz
ac1775c2c450bd7d609ed44f055ec8b965d272b0 14370 freerdp2_2.11.2+dfsg1-1_source.buildinfo
Checksums-Sha256:
053344e6b3ef782e3dd7364aed3a0e6e8004dbd6a04efbcf30ca1fa17d1ddbe1 3518 freerdp2_2.11.2+dfsg1-1.dsc
fbe63d87fc728af1465ecbf9db9769fc5c735855773d041d4f288d79e5063a6b 2268824 freerdp2_2.11.2+dfsg1.orig.tar.xz
a048fe57385f3c67d25cecf0cb70332e73677623a95a5a6ce5f83fd2aecdea7b 44784 freerdp2_2.11.2+dfsg1-1.debian.tar.xz
36f7196a2517701ba7353291cbba7ba29d0be70a5eec9101c42c4a1302ebecf4 14370 freerdp2_2.11.2+dfsg1-1_source.buildinfo
Files:
fd1e9a065660ff59a78afa0ff2315827 3518 x11 optional freerdp2_2.11.2+dfsg1-1.dsc
874258578f462c51cc87959df65c4758 2268824 x11 optional freerdp2_2.11.2+dfsg1.orig.tar.xz
c7f678153546331cefc46912b638a15c 44784 x11 optional freerdp2_2.11.2+dfsg1-1.debian.tar.xz
4ada004ba337bf63cca4fe7d27b2c91b 14370 x11 optional freerdp2_2.11.2+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmUZ6g8VHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx3b0P/As6OfaeBmX9z5T7v7nHdNqta9eJ
MAfjFhER2bI0yVaQ3qEPHe6Y5opNBQ1+luoGSHve7CkaBy+6K2BCzNbjlOZXKJdY
/iJ9jO3v6z179gxukJJ/cQvzRrjH9zioFjaYhgMUu4pKJnATuQYge2OmMiqoqyyW
9apumT5X+jQF4A5O2S4NxjUuPBV+tYdAIcdKTBtK3cXgSJBNpziRd/8CTYKV77Lz
XzAtmFsh2R/+dNYGAMaN1poH8WZvSE13REETIcA0zTeKbohvZYe/tGZvWC9Uiq0b
X0j2WAEZnvogFu1Xr2wKqV0BbFlMLja0ri+CEZBwKyV4eBMFb3c4uoxHG+Yp9rfJ
334pAAZ1yFHJ4HsQror4HHS+pUqQ/Gi0pA9iXSVBHEPpQWNIgXMmqFqK0DjbW3j6
5nSwDeYnSuXWkRMFIZj3hWpgXux/kIlp11Glu2Kf96sgPXCihtfXa8flRT2FE2ZL
jOlgEgU8V0k1yrGPl68ro0p3v81pTcDPkC9BCyRbjM0btAckhawRKErzBG3puH77
WxkqSHn0p0gec7i60/UYcpini98ahsOOLbsFC/+4BcWaMda2kEqb4EW3PDR1YzoR
ggkBacnRcHKfd+EHDV59fxE5PQwnFDNcmYtZgBDuFwOJrEEKta/PP6HqHTAEFYEr
thSXlq+xZqzQ6Luy
=K8zI
-----END PGP SIGNATURE-----
--- End Message ---