Bug 31173

Summary: freerdp new security issues CVE-2022-3931[6-9], CVE-2022-39320, CVE-2022-39347
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: freerdp-2.2.0-1.3.mga8.src.rpm CVE:
Status comment:

David Walser 2022-11-23 20:39:42 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 2.9.0

Comment 1 Lewis Smith 2022-11-23 21:02:22 CET 
DavidG recently put v2.8.1 in Cauldron, so assigning this update to him (registered packager). I hope this is OK to do.

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2022-11-25 09:23:47 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. (CVE-2022-39316)

Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. (CVE-2022-39317)

Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. (CVE-2022-39318)

Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. (CVE-2022-39319)

Affected versions of FreeRDP may attempt integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. (CVE-2022-39320)

Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. (CVE-2022-39347)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39316
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39318
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39347
https://ubuntu.com/security/notices/USN-5734-1
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
========================

Updated packages in core/updates_testing:
========================
freerdp-2.2.0-1.4.mga8
lib(64)freerdp2-2.2.0-1.4.mga8
lib(64)freerdp-devel-2.2.0-1.4.mga8

from SRPM:
freerdp-2.2.0-1.4.mga8.src.rpm

CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 2.9.0 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: geiger.david68210 => qa-bugs
Status: NEW => ASSIGNED
Source RPM: freerdp-2.8.1-1.mga9.src.rpm => freerdp-2.2.0-1.3.mga8.src.rpm

Comment 3 Brian Rockwell 2022-11-28 02:20:35 CET 
MGA8-64, Xfce, laptop

installed base

Nov 27 17:54:28 localhost.localdomain [RPM][2992]: install lib64freerdp2-2.2.0-1.4.mga8.x86_64: success
Nov 27 17:54:28 localhost.localdomain [RPM][2992]: install freerdp-2.2.0-1.4.mga8.x86_64: success

tested against vbox.  FYI - fullscreen is fixed in this version.

working for me

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Comment 4 Thomas Andrews 2022-11-28 03:19:53 CET 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-04 00:12:51 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-12-07 00:34:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0447.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED