DavidG is both registered & active packager for this SRPM, so assigning to you.

Assignee: bugsquad => geiger.david68210

In fact, only Mageia 8 and 9 are affected.

Source RPM: freerdp-2.11.2-1.mga10.src.rpm => freerdp-2.10.0-2.mga9.src.rpm
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Version: Cauldron => 9
Status comment: Patches available from Ubuntu => (none)

Suggested advisory:
========================

The updated packages fix a security vulnerability:

This issue affects Clients only.  Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. (CVE-2023-39350)

Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. (CVE-2023-39351)

Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. (CVE-2023-39353)

Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` without checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. (CVE-2023-39354)

Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. (CVE-2023-40181)

Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. (CVE-2023-40186)

Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. (CVE-2023-40188)

Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. (CVE-2023-40567)

Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. (CVE-2023-40569)

In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. (CVE-2023-40589)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39354
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40567
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40589
https://ubuntu.com/security/notices/USN-6401-1
========================

Updated packages in 9/core/updates_testing:
========================
freerdp-2.10.0-2.1.mga9
lib(64)freerdp2-2.10.0-2.1.mga9
lib(64)freerdp-devel-2.10.0-2.1.mga9

from SRPM:
freerdp-2.10.0-2.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
freerdp-2.9.0-1.2.mga8
lib(64)freerdp2-2.9.0-1.2.mga8
lib(64)freerdp-devel-2.9.0-1.2.mga8

from SRPM:
freerdp-2.9.0-1.2.mga8.src.rpm

Assignee: geiger.david68210 => qa-bugs
Status: NEW => ASSIGNED

Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

CC: (none) => marja11
Keywords: (none) => advisory

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 32100 for testing.
When connecting on the server (an MGA9) I get feedback on its CLI in red: "Specified pixel format yuv420p is invalid or not supported"
Continuing to hunt for info on that.

CC: (none) => herman.viaene

MGA9-64, Xfce

The following 2 packages are going to be installed:

- freerdp-2.10.0-2.1.mga9.x86_64
- lib64freerdp2-2.10.0-2.1.mga9.x86_64

4.9MB of additional disk space will be used.

--------

able to connect to VirtualBox instance

Working as expected for me.

CC: (none) => brtians1

MGA8-64, Xfce

The following 2 packages are going to be installed:

- freerdp-2.9.0-1.2.mga8.x86_64
- lib64freerdp2-2.9.0-1.2.mga8.x86_64


1.5MB of packages will be retrieved.


--- rebooted

Working as expected with a connection to VBOX.

Brian, you tested both MGA8 and MGA9, but only OKed MGA8. Is there a reason for that, or only an oversight?

CC: (none) => andrewsfarm

Only because Herman spotted an issue in 9.  I wanted additional people to test.  As far as working, it worked for me in 9.

FWIW...

I'm not an official member of QA but I had opportunity to test this update.

MGA9-64, Plasma on an Acer desktop

freerdp-2.10.0-2.1.mga9.x86_64
lib64freerdp2-2.10.0-2.1.mga9.x86_64

Tested using a windows 10 bare metal installation which is all I have available to me now. The updated package worked exactly as the previous package. I saw no regressions or errors.

CC: (none) => mhrambo3501

Installed and tested without issues.

Tested on a Mageia 9 VM connecting to a Windows Server 2016 Datacenter VM.
I did not see the issue reported Herman Viaene on comment 5.


System host: Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics.
System guest RDP client: Mageia 9, x86_64, QEMU/KVM VM, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics.
System guest RDP server: Windows Server 2016 Datacenter, x86_64, QEMU/KVM VM, AMD Ryzen 5 5600G with Radeon Graphics.


$ uname -a
Linux jupiter-vm-mageia-9 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux
$ rpm -qa | grep freerdp | sort
freerdp-2.10.0-2.mga9
lib64freerdp2-2.10.0-2.mga9
$ xfreerdp /u:Administrator /f /w:1920 /h:1080 /v:jupiter-vm-windows-server-2016-datacenter
[08:57:25:668] [11268:11269] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[08:57:25:668] [11268:11269] [WARN][com.freerdp.crypto] - CN = jupiter-vm-windows-server-2016-datacenter
Password: 
[08:57:31:161] [11268:11269] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[08:57:31:162] [11268:11269] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[08:57:31:169] [11268:11269] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[08:57:31:169] [11268:11269] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[09:02:14:853] [11268:11269] [INFO][com.freerdp.core] - ERRINFO_RPC_INITIATED_DISCONNECT_BY_USER (0x0000000B):The disconnection was initiated by an administrative tool on the server running in the user's session.
[09:02:14:853] [11268:11269] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_RPC_INITIATED_DISCONNECT_BY_USER [0x0001000B]

My guess is that the error I encountered has something to do with a specific video setting on this platform. My problem is that I have no idea where I could see and/or change that configuration.

Thanks, guys. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0318.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED