Bug 29654

Summary: freerdp new security issues CVE-2021-41159 and CVE-2021-41160
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, hdetavernier, joselp, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: freerdp-2.2.0-1.mga8.src.rpm CVE: CVE-2021-41159, CVE-2021-41160
Status comment:

Description David Walser 2021-11-12 21:31:39 CET 
RedHat has issued an advisory on November 11:
https://access.redhat.com/errata/RHSA-2021:4622

The issues are fixed upstream in 2.4.1.

Mageia 8 is also affected.
David Walser 2021-11-12 21:31:56 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.4.1

Comment 1 Nicolas Salguero 2021-11-15 10:11:38 CET 
Hi,

For Cauldron, freerdp-2.4.1-2.mga9 solves the issue.

Best regards,

Nico.

CC: (none) => nicolas.salguero
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 Nicolas Salguero 2021-11-15 14:59:44 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

All FreeRDP clients prior to version 2.4.1 using gateway connections (`/gt:rpc`) fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use `/gt:http` rather than /gt:rdp connections if possible or use a direct connection without a gateway. (CVE-2021-41159)

In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1. (CVE-2021-41160)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41160
https://access.redhat.com/errata/RHSA-2021:4622
========================

Updated packages in core/updates_testing:
========================
freerdp-2.2.0-1.1.mga8
lib(64)freerdp-devel-2.2.0-1.1.mga8
lib(64)freerdp2-2.2.0-1.1.mga8

from SRPM:
freerdp-2.2.0-1.1.mga8.src.rpm

Status comment: Fixed upstream in 2.4.1 => (none)
Source RPM: freerdp-2.4.0-2.mga9.src.rpm => freerdp-2.2.0-1.mga8.src.rpm
Status: NEW => ASSIGNED
CVE: (none) => CVE-2021-41159, CVE-2021-41160
Assignee: bugsquad => qa-bugs

Comment 3 Hugues Detavernier 2021-11-16 18:12:28 CET 
Mageia 8 X64 Gnome


# urpmi --media "Core Updates testing" freerdp
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « Core Updates Testing »)
  freerdp                        2.2.0        1.1.mga8      x86_64  
  lib64freerdp2                  2.2.0        1.1.mga8      x86_64  
un espace additionnel de 4.8Mo sera utilisé.
1.4Mo de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n) o


    $MIRRORLIST: media/core/updates_testing/lib64freerdp2-2.2.0-1.1.mga8.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/freerdp-2.2.0-1.1.mga8.x86_64.rpm  
installation de freerdp-2.2.0-1.1.mga8.x86_64.rpm lib64freerdp2-2.2.0-1.1.mga8.x86_64.rpm depuis /var/cache/urpmi/rpms
Préparation...                   #############################################
      1/2: lib64freerdp2         #############################################
      2/2: freerdp               #############################################


Freerdp is installed but I can't lauch the application either with a terminal (command not found) or by the menu.

CC: (none) => hdetavernier

Comment 4 David Walser 2021-11-16 18:29:08 CET 
The command to launch is xfreerdp.
Comment 5 Dave Hodgins 2021-11-16 18:51:08 CET 
When in doubt, use rpm -q -l $package|grep bin/
# rpm -q -l freerdp|grep bin/
/usr/bin/freerdp-proxy
/usr/bin/freerdp-shadow-cli
/usr/bin/winpr-hash
/usr/bin/winpr-makecert
/usr/bin/wlfreerdp
/usr/bin/xfreerdp

CC: (none) => davidwhodgins

Comment 6 Hugues Detavernier 2021-11-16 20:14:36 CET 
Thanks David,

xfreedrp works fine with command line and Windows 10.
Comment 7 Jose Manuel López 2021-11-17 08:54:02 CET 
Ok here,

I have connected with windows server with remmina, all ok. I don't see issues for the moment.

CC: (none) => joselpddj

Comment 8 PC LX 2021-11-17 17:19:28 CET 
Installed and tested without issue.


Don't usually use RDP so I did some quick tests by connecting to a Windows 10 in a QEMU/KVM VM. It worked as expected. No issues noticed.


$ uname -a
Linux marte 5.10.78-desktop-1.mga8 #1 SMP Sat Nov 6 13:40:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep freerdp
freerdp-2.2.0-1.1.mga8
lib64freerdp2-2.2.0-1.1.mga8
$ xfreerdp /u:pclx /v:192.168.1.172 /w:1920 /h:1080 /f
[16:10:35:737] [9422:9423] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[16:10:35:738] [9422:9423] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[16:10:35:738] [9422:9423] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[16:10:35:738] [9422:9423] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
[16:10:35:084] [9422:9423] [INFO][com.freerdp.primitives] - primitives autodetect, using optimized
[16:10:35:089] [9422:9423] [INFO][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state
[16:10:35:089] [9422:9423] [INFO][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state
[16:10:35:130] [9422:9423] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
[16:10:35:130] [9422:9423] [WARN][com.freerdp.crypto] - CN = marte-vm-windows-10
Password: 
[16:10:41:931] [9422:9423] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[16:10:41:931] [9422:9423] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[16:10:41:945] [9422:9423] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
[16:10:41:975] [9422:9423] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[16:10:48:299] [9422:9423] [INFO][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex resetting error state
[16:11:54:884] [9422:9423] [INFO][com.freerdp.core] - ERRINFO_RPC_INITIATED_DISCONNECT_BY_USER (0x0000000B):The disconnection was initiated by an administrative tool on the server running in the user's session.
[16:11:54:884] [9422:9423] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_RPC_INITIATED_DISCONNECT_BY_USER [0x0001000B]

CC: (none) => mageia

Comment 9 David Walser 2021-11-19 20:07:07 CET 
Fedora has issued an advisory for this on November 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DWJXQOWKNR7O5HM2HFJOM4GBUFPTE3RG/
Comment 10 Brian Rockwell 2021-11-21 16:43:27 CET 
MGA8-64 on GNOME

The following 2 packages are going to be installed:

- freerdp-2.2.0-1.1.mga8.x86_64
- lib64freerdp2-2.2.0-1.1.mga8.x86_64

no install issues

$ xfreerdp -f 192.xx:3389

Full screen worked fine.  I did not see any issues

works for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Comment 11 Thomas Andrews 2021-11-23 14:00:05 CET 
Always happy to see lots of tests! Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-11-25 05:10:32 CET

Keywords: (none) => advisory

Comment 12 Mageia Robot 2021-11-25 14:07:23 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0522.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED