In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bound read in in update_read_bitmap_data that allows client memory to be read to an image buffer. The result displayed on screen as colour. References: https://github.com/FreeRDP/FreeRDP/issues/6005 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3x39-248q-f4q6 Upstream commit: https://github.com/FreeRDP/FreeRDP/commit/f8890a645c221823ac133dbf991f8a65ae50d637
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1835402] Affects: fedora-all [bug 1835401] Created freerdp1.2 tracking bugs for this issue: Affects: fedora-all [bug 1835400]
Technical Summary: update_read_bitmap_data() does not check the length of the stream remaining before reading 8 bytes of data from the stream; thus it is possible to read up to 8 bytes past the end of the stream buffer, when certain bitmap flags are set. The read data will be stored in bitmap metadata size variables.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11045
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647