In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2. References: http://www.freerdp.com/2020/06/22/2_1_2-released https://github.com/FreeRDP/FreeRDP/commit/05cd9ea2290d23931f615c1b004d4b2e69074e27 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fjr5-97f5-qq98
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1854897] Affects: fedora-all [bug 1854896]
Technical summary: The TrioWriteString() and trio_register() routines of winpr/libwinpr/utils/trio/trio.c had bad checks of namespace size which allowed an integer overflow that could cause an out-of-bounds read later in the code, when TrioFindNamespace() was called. These routines are used for logging in both freerdp clients and servers.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-4030