Arch Linux 803 Published by

A freerdp security update has been released for Arch Linux.



ASA-202006-15: freerdp: multiple issues


Arch Linux Security Advisory ASA-202006-15
=========================================
Severity: High
Date : 2020-06-28
CVE-ID : CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033
CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098
CVE-2020-11099
Package : freerdp
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-1193

Summary
======
The package freerdp before version 2:2.1.2-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
=========
Upgrade to 2:2.1.2-1.

# pacman -Syu "freerdp>=2:2.1.2-1"

The problems have been fixed upstream in version 2.1.2.

Workaround
=========
None.

Description
==========
- CVE-2020-4030 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, where
logging might bypass string length checks due to an integer overflow.

- CVE-2020-4031 (arbitrary code execution)

A use-after-free vulnerability has been found in FreeRDP before 2.1.2,
in gdi_SelectObject(). Clients using compatibility mode enabled with
/relax-order-checks are affected.

- CVE-2020-4032 (information disclosure)

An integer casting vulnerability leading to an out-of-bounds read has
been found in FreeRDP before 2.1.2, in update_recv_secondary_order(),
on clients with +glyph-cache or /relax-order-checks options enabled.

- CVE-2020-4033 (information disclosure)

An out-of-bounds read of up to 4 bytes has been found in FreeRDP before
2.1.2, affecting all FreeRDP based clients with sessions with color
depth < 32.

- CVE-2020-11095 (information disclosure)

A global out-of-bounds read has been found in FreeRDP before 2.1.2, in
update_recv_primary_order.

- CVE-2020-11096 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
update_read_cache_bitmap_v3_order().

- CVE-2020-11097 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
ntlm_av_pair_get().

- CVE-2020-11098 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
glyph_cache_put. This issue only exists when glyph-cache is enabled,
which is not the case by default.

- CVE-2020-11099 (information disclosure)

An out-of-bounds read has been found in FreeRDP before 2.1.2, in
license_read_new_or_upgrade_license_packet().

Impact
=====
A remote attacker might be able to access sensitive information or
crash the application via a crafted RDP session. A malicious server, or
an attacker in position of man-in-the-middle might be able to execute
arbitrary code on the affected host.

References
=========
  http://www.freerdp.com/2020/06/22/2_1_2-released
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98
  https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g
  https://github.com/FreeRDP/FreeRDP/commit/6d86e20e1e7caaab4f0c7f89e36d32914dbccc52
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc
  https://github.com/FreeRDP/FreeRDP/commit/e7bffa64ef5ed70bac94f823e2b95262642f5296
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8
  https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2
  https://github.com/FreeRDP/FreeRDP/commit/733ee3208306b1ea32697b356c0215180fc3f049
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x
  https://github.com/FreeRDP/FreeRDP/commit/b8beb55913471952f92770c90c372139d78c16c0
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f
  https://github.com/FreeRDP/FreeRDP/commit/58a3122250d54de3a944c487776bcd4d1da4721e
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv
  https://github.com/FreeRDP/FreeRDP/commit/c0fd449ec0870b050d350d6d844b1ea6dad4bc7d
  https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h
  https://github.com/FreeRDP/FreeRDP/commit/6ade7b4cbfd71c54b3d724e8f2d6ac76a58e879a
  https://security.archlinux.org/CVE-2020-4030
  https://security.archlinux.org/CVE-2020-4031
  https://security.archlinux.org/CVE-2020-4032
  https://security.archlinux.org/CVE-2020-4033
  https://security.archlinux.org/CVE-2020-11095
  https://security.archlinux.org/CVE-2020-11096
  https://security.archlinux.org/CVE-2020-11097
  https://security.archlinux.org/CVE-2020-11098
  https://security.archlinux.org/CVE-2020-11099