Ubuntu has issued an advisory on November 22: https://ubuntu.com/security/notices/USN-5734-1 The issues are fixed upstream in 2.9.0: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.9.0
DavidG recently put v2.8.1 in Cauldron, so assigning this update to him (registered packager). I hope this is OK to do.
Assignee: bugsquad => geiger.david68210
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. (CVE-2022-39316) Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. (CVE-2022-39317) Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. (CVE-2022-39318) Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. (CVE-2022-39319) Affected versions of FreeRDP may attempt integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. (CVE-2022-39320) Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. (CVE-2022-39347) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39316 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39317 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39318 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39319 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39347 https://ubuntu.com/security/notices/USN-5734-1 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-99cm-4gw7-c8jh https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg ======================== Updated packages in core/updates_testing: ======================== freerdp-2.2.0-1.4.mga8 lib(64)freerdp2-2.2.0-1.4.mga8 lib(64)freerdp-devel-2.2.0-1.4.mga8 from SRPM: freerdp-2.2.0-1.4.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 2.9.0 => (none)Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNEDSource RPM: freerdp-2.8.1-1.mga9.src.rpm => freerdp-2.2.0-1.3.mga8.src.rpm
MGA8-64, Xfce, laptop installed base Nov 27 17:54:28 localhost.localdomain [RPM][2992]: install lib64freerdp2-2.2.0-1.4.mga8.x86_64: success Nov 27 17:54:28 localhost.localdomain [RPM][2992]: install freerdp-2.2.0-1.4.mga8.x86_64: success tested against vbox. FYI - fullscreen is fixed in this version. working for me
Whiteboard: (none) => MGA8-64-OKCC: (none) => brtians1
Validating. Advisory in comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0447.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED