FreeRDP 2.0.0-rc3 contains an out of bounds read vulnerability in drdynvc_process_capability_request function in channels/drdynvc/client/drdynvc_main.c file. To exploit this RDPClient must connect to the rdp server with the echo option. This can lead to a two-byte outbound reading from the client memory. References: https://github.com/FreeRDP/FreeRDP/issues/4866 Upstream Patch: https://github.com/FreeRDP/FreeRDP/pull/4871/commits/baee520e3dd9be6511c45a14c5f5e77784de1471
Created freerdp tracking bugs for this issue: Affects: epel-6 [bug 1661641] Affects: fedora-28 [bug 1661642] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1661643]
The same memory disclosure seems to be present in freerdp-1.0.2, though it's contained entirely in the drdynvc_process_capability_request function. There does not seem to be any Availability impact, as it's a small read beyond the end of a heap buffer.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2157 https://access.redhat.com/errata/RHSA-2019:2157
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-1000852