Bug 1848018 (CVE-2020-11038)
| Summary: | CVE-2020-11038 freerdp: Integer overflow in VIDEO channel | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | mads, mailinglists, negativo17, oholy, pahan |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | freerdp 2.1.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 22:01:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1848019, 1848020, 1850726, 1850727 | ||
| Bug Blocks: | 1848044 | ||
|
Description
Michael Kaplan
2020-06-17 14:31:57 UTC
Created freerdp tracking bugs for this issue: Affects: fedora-all [bug 1848019] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1848020] Technical Summary: This flaw exists in the freerdp CLIENT application in channels/video/client/video_main.c. The video_read_tsmm_presentation_req() routine reads the width & height of a video presentation from the input stream with data coming from the server. It passes the width & height to video_PresentationRequest(), and then to PresentationContext_new(), which computes the size requested during a memory allocation with BufferPool_Take(). BufferPool_Take()'s size parameter is of type int. An untrusted or compromised freerdp server could provide bogus width & height data in the stream, which would cause a memory allocation of an improper size due to integer overflow, and could subsequently cause an out-of-bounds write on the client, triggering a crash or memory corruption. The patch checks to ensure that the value passed to BufferPool_Take() is less than INT32_MAX in PresentationContext_new(). It also stores the width * height result in a size_t variable. Upstream patch: https://github.com/FreeRDP/FreeRDP/commit/06c32f170093a6ecde93e3bc07fed6a706bfbeb3 Mitigation: This flaw can be mitigated by deactivating video redirection on the client side and not using /video. I changed the impact to Low because this affects only the client, would require connecting to a compromised/untrusted server, and exploitation would not lead to a persistent denial of service. Statement: Although this flaw affects versions of freerdp shipped with Red Hat Enterprise Linux 7 and 8, Red Hat Product Security views this flaw as having low impact because it only affects the freerdp client, the user must connect to an untrusted or compromised server, and it would not lead to a persistent denial of service if exploited. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11038 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647 |