In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2.
Created freerdp tracking bugs for this issue:
Affects: epel-all [bug 1854897]
Affects: fedora-all [bug 1854896]
The TrioWriteString() and trio_register() routines of winpr/libwinpr/utils/trio/trio.c had bad checks of namespace size which allowed an integer overflow that could cause an out-of-bounds read later in the code, when TrioFindNamespace() was called. These routines are used for logging in both freerdp clients and servers.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):