1671359 – (CVE-2018-8786) CVE-2018-8786 freerdp: Integer truncation leading to heap-based buffer overflow in update_read_bitmap_update() function

Bug 1671359 (CVE-2018-8786) - CVE-2018-8786 freerdp: Integer truncation leading to heap-based buffer overflow in update_read_bitmap_update() function

Summary: CVE-2018-8786 freerdp: Integer truncation leading to heap-based buffer overfl...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-8786
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1671370 1684152 1684153 1684154
Blocks:	1671368
TreeView+	depends on / blocked

Reported:	2019-01-31 13:30 UTC by Andrej Nemec
Modified:	2020-04-27 16:39 UTC (History)
CC List:	6 users (show)
Fixed In Version:	freerdp 2.0.0-rc4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in freerdp in versions prior to version 2.0.0-rc4. An integer truncation that leads to a heap-based buffer overflow in the update_read_bitmap_update() function results in a memory corruption. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2019-06-10 10:46:55 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:0697	0	None	None	None	2019-04-02 11:37:04 UTC

Description Andrej Nemec 2019-01-31 13:30:27 UTC

FreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in a memory corruption.

Upstream patch:

https://github.com/FreeRDP/FreeRDP/commit/445a5a42c500ceb80f8fa7f2c11f3682538033f3

Comment 1 Andrej Nemec 2019-01-31 13:44:16 UTC

Created freerdp tracking bugs for this issue:

Affects: epel-6 [bug 1671370]

Comment 3 Riccardo Schirone 2019-02-28 15:03:01 UTC

The attacker needs to either hijack the communication between a FreeRDP client and a valid server or he needs to compromise a server for the attack to be successful.

Comment 4 Riccardo Schirone 2019-02-28 15:04:02 UTC

The memory corruption in update_read_bitmap_update() can be used to make the FreeRDP application crash or to execute arbitrary code in the context of the client system.

Comment 8 Riccardo Schirone 2019-02-28 15:09:56 UTC

Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 1684154]

Comment 9 errata-xmlrpc 2019-04-02 11:37:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0697 https://access.redhat.com/errata/RHSA-2019:0697

Note You need to log in before you can comment on or make changes to this bug.