In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bounds read in update_read_icon_info. It allows reading a attacker-defined amount of client memory (32bit unsigned -> 4GB) to an intermediate buffer. This can be used to crash the client or store information for later retrieval. This has been patched in 2.0.0. References: https://github.com/FreeRDP/FreeRDP/issues/6010 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9jp6-5vf2-cx2q Upstream commit: https://github.com/FreeRDP/FreeRDP/commit/6b2bc41935e53b0034fe5948aeeab4f32e80f30f
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1835385] Affects: fedora-all [bug 1835383] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1835384]
Technical details =================== In window.c of FreeRDP's libfreerdp, the update_read_icon_info() routine reads from a stream. In an attempt to prevent from overflowing the stream buffer, the function calls Stream_GetRemainingLength(s). However, it only checks the length against two of the reads that it intends to make (iconInfo->cbBitsMask + iconInfo->cbBitsColor). The third read is into iconInfo->ColorTable, the length of which is never checked. Thus, if the iconInfo->cbColorTable is too large, an out-of-bounds read can occur where the program attempts to read past the end of the stream buffer on the heap, into iconInfo->ColorTable.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11042
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647