In FreeRDP before version 2.1.2, there is an out-of-bound read in glyph_cache_put. This affects all FreeRDP clients with `+glyph-cache` option enabled This is fixed in version 2.1.2. References: http://www.freerdp.com/2020/06/22/2_1_2-released https://github.com/FreeRDP/FreeRDP/commit/c0fd449ec0870b050d350d6d844b1ea6dad4bc7d https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1854845] Affects: fedora-all [bug 1854844]
glyph_cache_put() in libfreerdp/cache/glyph.c has an off-by-one indexing error which allows glyphCache->glyphCache[id].entries[index] to be indexed out-of-bounds. The patch ensures that index is less than glyphCache->glyphCache[id].number which avoids the out-of-bounds read. Marking this as Low because the feature is disabled by default and there is a low risk to availability in the freerdp client only.
Mitigation: Do not use the +glyph_cache option in the freerdp client, which is disabled by default in freerdp-2.0.0.rc4 (shipped with Red Hat Enterprise Linux 7 and 8), but required to connect to xrdp.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11098