Bug 1854876 (CVE-2020-4033) - CVE-2020-4033 freerdp: out-of-bounds read in RLEDECOMPRESS
Summary: CVE-2020-4033 freerdp: out-of-bounds read in RLEDECOMPRESS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-4033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1854886 1854887 1855909 1855910
Blocks: 1854906
TreeView+ depends on / blocked
 
Reported: 2020-07-08 11:54 UTC by Dhananjay Arunesh
Modified: 2021-05-18 20:34 UTC (History)
4 users (show)

Fixed In Version: freerdp 2.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 20:34:12 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-07-08 11:54:47 UTC
In FreeRDP before version 2.1.2, there is an out of bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions with color depth < 32 are affected. This is fixed in version 2.1.2.

References:
http://www.freerdp.com/2020/06/22/2_1_2-released
https://github.com/FreeRDP/FreeRDP/commit/0a98c450c58ec150e44781c89aa6f8e7e0f571f5
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8

Comment 1 Dhananjay Arunesh 2020-07-08 12:14:47 UTC
Created freerdp tracking bugs for this issue:

Affects: epel-all [bug 1854887]
Affects: fedora-all [bug 1854886]

Comment 2 Todd Cullum 2020-07-09 22:48:43 UTC
Moved to low since this only affects the client, there's a mitigation, and the out-of-bounds read is very limited.

Comment 3 Todd Cullum 2020-07-09 22:49:20 UTC
Mitigation:

Set the color depth to 32 with the client commandline option: /bpp:32.

Comment 4 Todd Cullum 2020-07-09 22:56:44 UTC
Technical summary:

In libfreerdp/codec/include/bitmap.c's RLEDECOMPRESS(), the SRCREADPIXEL() and SRCNEXTPIXEL() routines could read data past the end of the source buffer due to a lack of bounds checking. This flaw is possible because although the while loop checks the bounds of the buffer, inside of the loop, there is the code pbSrc = pbSrc + advance which could cause an overread before reaching the next iteration/comparison in the while loop. This flaw affects freerdp CLIENTs. The patch simply adds a couple lines to ensure data is not read past the end of the buffer.

Comment 5 Todd Cullum 2020-07-09 23:02:17 UTC
This flaw could be exploited by an rdp server sending bogus data in the RLE compressed bitmap stream, which is used to determine the advance length mentioned above.

Comment 6 Todd Cullum 2020-07-09 23:05:53 UTC
Note that in freerdp-1.0.2 the flaw exists in the file libfreerdp-codec/include/bitmap.c. However, as this is Low, it is currently out of support scope for RHEL-6 and will not be patched.

Comment 8 errata-xmlrpc 2021-05-18 15:34:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1849 https://access.redhat.com/errata/RHSA-2021:1849

Comment 9 Product Security DevOps Team 2021-05-18 20:34:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-4033


Note You need to log in before you can comment on or make changes to this bug.