Bug 31136

Summary:	freerdp new security issues CVE-2022-3928[23]
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	freerdp-2.2.0-1.2.mga8.src.rpm	CVE:	CVE-2022-39282, CVE-2022-39283
Status comment:

Description David Walser 2022-11-16 17:33:45 CET

SUSE has issued an advisory on November 15:
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012920.html

The issues are fixed upstream in 2.8.1:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh
https://github.com/FreeRDP/FreeRDP/releases/tag/2.8.1

David Walser 2022-11-16 17:34:00 CET

Status comment: (none) => Fixed upstream in 2.8.1

Comment 1 David Walser 2022-11-16 18:13:44 CET

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJA3DXXYKZSQPM7VF5GX343WBGCGAPAH/

Comment 2 Lewis Smith 2022-11-17 11:59:46 CET

Assigning to you, DavidG, seeing you have already put version: 2.8.1 into Cauldron, and are even the registered maintainer. Glad to see you.

Assignee: bugsquad => geiger.david68210

Comment 3 Lewis Smith 2022-11-21 12:17:45 CET

OK, version: 2.8.1 is in Cauldron.
Re-assigning this globally, may have erred initially.

Assignee: geiger.david68210 => pkg-bugs

Comment 4 Nicolas Salguero 2022-11-22 14:59:46 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. (CVE-2022-39282)

All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. (CVE-2022-39283)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39283
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012920.html
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh
https://github.com/FreeRDP/FreeRDP/releases/tag/2.8.1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJA3DXXYKZSQPM7VF5GX343WBGCGAPAH/
========================

Updated packages in core/updates_testing:
========================
freerdp-2.2.0-1.3.mga8
lib(64)freerdp2-2.2.0-1.3.mga8
lib(64)freerdp-devel-2.2.0-1.3.mga8

from SRPM:
freerdp-2.2.0-1.3.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-39282, CVE-2022-39283
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.8.1 => (none)

Comment 5 Herman Viaene 2022-11-23 15:24:45 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues
Followed example from bug 30392 Comment 8 with the remark that the correct syntax seems to be
xfreerdp /v:<server>:3984 /u:user> /p:<munged>
thus / i.s.o. -
Had the same effect, view OK, no mouse control. so OK as then.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2022-11-23 16:31:58 CET

Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-11-24 04:19:18 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-11-24 23:22:48 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0437.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED