Bug 1854895 (CVE-2020-4030) - CVE-2020-4030 freerdp: out of bounds read in TrioParse
Summary: CVE-2020-4030 freerdp: out of bounds read in TrioParse
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-4030
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1854896 1854897 1855913 1855914
Blocks: 1854906
TreeView+ depends on / blocked
 
Reported: 2020-07-08 12:21 UTC by Dhananjay Arunesh
Modified: 2021-05-18 20:34 UTC (History)
4 users (show)

Fixed In Version: freerdp 2.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 20:34:15 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-07-08 12:21:46 UTC
In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2.

References:
http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98

Comment 1 Dhananjay Arunesh 2020-07-08 12:22:57 UTC
Created freerdp tracking bugs for this issue:

Affects: epel-all [bug 1854897]
Affects: fedora-all [bug 1854896]

Comment 2 Todd Cullum 2020-07-10 04:35:31 UTC
Technical summary:

The TrioWriteString() and trio_register() routines of winpr/libwinpr/utils/trio/trio.c had bad checks of namespace size which allowed an integer overflow that could cause an out-of-bounds read later in the code, when TrioFindNamespace() was called. These routines are used for logging in both freerdp clients and servers.

Comment 5 errata-xmlrpc 2021-05-18 15:34:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849

Comment 6 Product Security DevOps Team 2021-05-18 20:34:15 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-4030


Note You need to log in before you can comment on or make changes to this bug.