Bug 1854876 (CVE-2020-4033)

Summary: CVE-2020-4033 freerdp: out-of-bounds read in RLEDECOMPRESS
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mads, negativo17, oholy, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freerdp 2.1.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:34:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1854886, 1854887, 1855909, 1855910    
Bug Blocks: 1854906    

Description Dhananjay Arunesh 2020-07-08 11:54:47 UTC 
In FreeRDP before version 2.1.2, there is an out of bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions with color depth < 32 are affected. This is fixed in version 2.1.2.

References:
http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8
Comment 1 Dhananjay Arunesh 2020-07-08 12:14:47 UTC 
Created freerdp tracking bugs for this issue:

Affects: epel-all [bug 1854887]
Affects: fedora-all [bug 1854886]
Comment 2 Todd Cullum 2020-07-09 22:48:43 UTC 
Moved to low since this only affects the client, there's a mitigation, and the out-of-bounds read is very limited.
Comment 3 Todd Cullum 2020-07-09 22:49:20 UTC 
Mitigation:

Set the color depth to 32 with the client commandline option: /bpp:32.
Comment 4 Todd Cullum 2020-07-09 22:56:44 UTC 
Technical summary:

In libfreerdp/codec/include/bitmap.c's RLEDECOMPRESS(), the SRCREADPIXEL() and SRCNEXTPIXEL() routines could read data past the end of the source buffer due to a lack of bounds checking. This flaw is possible because although the while loop checks the bounds of the buffer, inside of the loop, there is the code pbSrc = pbSrc + advance which could cause an overread before reaching the next iteration/comparison in the while loop. This flaw affects freerdp CLIENTs. The patch simply adds a couple lines to ensure data is not read past the end of the buffer.
Comment 5 Todd Cullum 2020-07-09 23:02:17 UTC 
This flaw could be exploited by an rdp server sending bogus data in the RLE compressed bitmap stream, which is used to determine the advance length mentioned above.
Comment 6 Todd Cullum 2020-07-09 23:05:53 UTC 
Note that in freerdp-1.0.2 the flaw exists in the file libfreerdp-codec/include/bitmap.c. However, as this is Low, it is currently out of support scope for RHEL-6 and will not be patched.
Comment 8 errata-xmlrpc 2021-05-18 15:34:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
Comment 9 Product Security DevOps Team 2021-05-18 20:34:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-4033