In FreeRDP before 2.1.0, there is an out-of-bound read in irp functions (parallel_process_irp_create, serial_process_irp_create, drive_process_irp_write, printer_process_irp_write, rdpei_recv_pdu, serial_process_irp_write). This has been fixed in 2.1.0. Reference: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hfc7-c5gv-8c2h Upstream commits: https://github.com/FreeRDP/FreeRDP/commit/6b485b146a1b9d6ce72dfd7b5f36456c166e7a16 https://github.com/FreeRDP/FreeRDP/commit/795842f4096501fcefc1a7f535ccc8132feb31d7
Created freerdp tracking bugs for this issue: Affects: epel-6 [bug 1844187] Affects: fedora-all [bug 1844186] Created freerdp1.2 tracking bugs for this issue: Affects: epel-7 [bug 1844188] Affects: fedora-all [bug 1844185]
Mitigation: The vulnerability is associated with the use of the command line options: /drive, +multitouch, /paralell, /printer, and /servial. To mitigate this vulnerability, do not use these commands.
Technical Summary: The affected components do not check to ensure that data is not read past the end of the stream buffer. The patch uses Stream_SafeSeek() and Stream_GetRemainingLength() to prevent this, before reading from the stream. This vulnerability affects the freerdp client application.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4031 https://access.redhat.com/errata/RHSA-2020:4031
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11089
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4647 https://access.redhat.com/errata/RHSA-2020:4647