In FreeRDP before version 2.1.2, an out of bound reads occurs resulting in accessing a memory location that is outside of the boundaries of the static array PRIMARY_DRAWING_ORDER_FIELD_BYTES. This is fixed in version 2.1.2. References: http://www.freerdp.com/2020/06/22/2_1_2-released https://github.com/FreeRDP/FreeRDP/commit/733ee3208306b1ea32697b356c0215180fc3f049 https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2
Created freerdp tracking bugs for this issue: Affects: epel-all [bug 1854853] Affects: fedora-all [bug 1854852]
in libfreerdp/core/update.c's update_write_order_info(), update_prepare_order_info, and libfreerdp/core/orders.c's update_recv_primary_order() it was possible for update->primary to be outside the bounds of the PRIMARY_DRAWING_ORDER_FIELD_BYTES static array, referenced with PRIMARY_DRAWING_ORDER_FIELD_BYTES[orderInfo->orderType], which could cause an out-of-bounds read due to lack of bounds checking. The patch replaces the static array with a getter function that uses a switch-case to prevent this.
The flaw is present in libfreerdp-core/orders.c for freerdp-1.0.2. Note this flaw applies to the freerdp CLIENT code.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11095