In FreeRDP before version 2.1.2, there is an out of bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions with color depth < 32 are affected. This is fixed in version 2.1.2. References: http://www.freerdp.com/2020/06/22/2_1_2-released https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1854887] Affects: fedora-all [bug 1854886]
Moved to low since this only affects the client, there's a mitigation, and the out-of-bounds read is very limited.
Mitigation: Set the color depth to 32 with the client commandline option: /bpp:32.
Technical summary: In libfreerdp/codec/include/bitmap.c's RLEDECOMPRESS(), the SRCREADPIXEL() and SRCNEXTPIXEL() routines could read data past the end of the source buffer due to a lack of bounds checking. This flaw is possible because although the while loop checks the bounds of the buffer, inside of the loop, there is the code pbSrc = pbSrc + advance which could cause an overread before reaching the next iteration/comparison in the while loop. This flaw affects freerdp CLIENTs. The patch simply adds a couple lines to ensure data is not read past the end of the buffer.
This flaw could be exploited by an rdp server sending bogus data in the RLE compressed bitmap stream, which is used to determine the advance length mentioned above.
Note that in freerdp-1.0.2 the flaw exists in the file libfreerdp-codec/include/bitmap.c. However, as this is Low, it is currently out of support scope for RHEL-6 and will not be patched.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-4033