FreeRDP 2.0.0-rc3 contains an out of bounds read vulnerability in drdynvc_process_capability_request function in channels/drdynvc/client/drdynvc_main.c file. To exploit this RDPClient must connect to the rdp server with the echo option. This can lead to a two-byte outbound reading from the client memory.
Created freerdp tracking bugs for this issue:
Affects: epel-6 [bug 1661641]
Affects: fedora-28 [bug 1661642]
Created freerdp1.2 tracking bugs for this issue:
Affects: fedora-all [bug 1661643]
The same memory disclosure seems to be present in freerdp-1.0.2, though it's contained entirely in the drdynvc_process_capability_request function. There does not seem to be any Availability impact, as it's a small read beyond the end of a heap buffer.