Hi, Ubuntu has issued an advisory on October 4: https://ubuntu.com/security/notices/USN-6401-1 Best regards, Nico.
CC: (none) => nicolas.salgueroStatus comment: (none) => Patches available from UbuntuWhiteboard: (none) => MGA9TOO, MGA8TOOSource RPM: (none) => freerdp-2.11.2-1.mga10.src.rpm
DavidG is both registered & active packager for this SRPM, so assigning to you.
Assignee: bugsquad => geiger.david68210
In fact, only Mageia 8 and 9 are affected.
Source RPM: freerdp-2.11.2-1.mga10.src.rpm => freerdp-2.10.0-2.mga9.src.rpmWhiteboard: MGA9TOO, MGA8TOO => MGA8TOOVersion: Cauldron => 9Status comment: Patches available from Ubuntu => (none)
Suggested advisory: ======================== The updated packages fix a security vulnerability: This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. (CVE-2023-39350) Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. (CVE-2023-39351) Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. (CVE-2023-39353) Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` without checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. (CVE-2023-39354) Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. (CVE-2023-40181) Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. (CVE-2023-40186) Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. (CVE-2023-40188) Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. (CVE-2023-40567) Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. (CVE-2023-40569) In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. (CVE-2023-40589) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39351 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39353 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39354 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40181 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40188 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40567 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40569 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40589 https://ubuntu.com/security/notices/USN-6401-1 ======================== Updated packages in 9/core/updates_testing: ======================== freerdp-2.10.0-2.1.mga9 lib(64)freerdp2-2.10.0-2.1.mga9 lib(64)freerdp-devel-2.10.0-2.1.mga9 from SRPM: freerdp-2.10.0-2.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== freerdp-2.9.0-1.2.mga8 lib(64)freerdp2-2.9.0-1.2.mga8 lib(64)freerdp-devel-2.9.0-1.2.mga8 from SRPM: freerdp-2.9.0-1.2.mga8.src.rpm
Assignee: geiger.david68210 => qa-bugsStatus: NEW => ASSIGNED
Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
CC: (none) => mageia
MGA8-64 Xfce on Acer Aspire 5253 No installation issues Ref bug 32100 for testing. When connecting on the server (an MGA9) I get feedback on its CLI in red: "Specified pixel format yuv420p is invalid or not supported" Continuing to hunt for info on that.
CC: (none) => herman.viaene
MGA9-64, Xfce The following 2 packages are going to be installed: - freerdp-2.10.0-2.1.mga9.x86_64 - lib64freerdp2-2.10.0-2.1.mga9.x86_64 4.9MB of additional disk space will be used. -------- able to connect to VirtualBox instance Working as expected for me.
CC: (none) => brtians1
MGA8-64, Xfce The following 2 packages are going to be installed: - freerdp-2.9.0-1.2.mga8.x86_64 - lib64freerdp2-2.9.0-1.2.mga8.x86_64 1.5MB of packages will be retrieved. --- rebooted Working as expected with a connection to VBOX.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
Brian, you tested both MGA8 and MGA9, but only OKed MGA8. Is there a reason for that, or only an oversight?
CC: (none) => andrewsfarm
Only because Herman spotted an issue in 9. I wanted additional people to test. As far as working, it worked for me in 9.
FWIW... I'm not an official member of QA but I had opportunity to test this update. MGA9-64, Plasma on an Acer desktop freerdp-2.10.0-2.1.mga9.x86_64 lib64freerdp2-2.10.0-2.1.mga9.x86_64 Tested using a windows 10 bare metal installation which is all I have available to me now. The updated package worked exactly as the previous package. I saw no regressions or errors.
CC: (none) => mhrambo3501
Installed and tested without issues. Tested on a Mageia 9 VM connecting to a Windows Server 2016 Datacenter VM. I did not see the issue reported Herman Viaene on comment 5. System host: Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics. System guest RDP client: Mageia 9, x86_64, QEMU/KVM VM, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics. System guest RDP server: Windows Server 2016 Datacenter, x86_64, QEMU/KVM VM, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter-vm-mageia-9 6.4.16-desktop-3.mga9 #1 SMP PREEMPT_DYNAMIC Tue Oct 10 16:51:28 UTC 2023 x86_64 GNU/Linux $ rpm -qa | grep freerdp | sort freerdp-2.10.0-2.mga9 lib64freerdp2-2.10.0-2.mga9 $ xfreerdp /u:Administrator /f /w:1920 /h:1080 /v:jupiter-vm-windows-server-2016-datacenter [08:57:25:668] [11268:11269] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 [08:57:25:668] [11268:11269] [WARN][com.freerdp.crypto] - CN = jupiter-vm-windows-server-2016-datacenter Password: [08:57:31:161] [11268:11269] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32 [08:57:31:162] [11268:11269] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32 [08:57:31:169] [11268:11269] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd [08:57:31:169] [11268:11269] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx [09:02:14:853] [11268:11269] [INFO][com.freerdp.core] - ERRINFO_RPC_INITIATED_DISCONNECT_BY_USER (0x0000000B):The disconnection was initiated by an administrative tool on the server running in the user's session. [09:02:14:853] [11268:11269] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_RPC_INITIATED_DISCONNECT_BY_USER [0x0001000B]
My guess is that the error I encountered has something to do with a specific video setting on this platform. My problem is that I have no idea where I could see and/or change that configuration.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Thanks, guys. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0318.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED