2236759 – (CVE-2023-39356) CVE-2023-39356 freerdp: missing offset validation leading to Out-of-Bounds Read in gdi_multi_opaque_rect

Bug 2236759 (CVE-2023-39356) - CVE-2023-39356 freerdp: missing offset validation leading to Out-of-Bounds Read in gdi_multi_opaque_rect

Summary: CVE-2023-39356 freerdp: missing offset validation leading to Out-of-Bounds Re...

Keywords:
Status:	NEW
Alias:	CVE-2023-39356
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2236760 2236761
Blocks:	2236652
TreeView+	depends on / blocked

Reported:	2023-09-01 13:05 UTC by Marian Rehak
Modified:	2024-04-30 09:48 UTC (History)
CC List:	3 users (show)
Fixed In Version:	freerdp 2.11.0, freerdp 3.0.0-beta3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in FreeRDP. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to a heap-buffer-overflow, which may result in a crash.
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	pajung: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2208	0	None	None	None	2024-04-30 09:48:51 UTC

Description Marian Rehak 2023-09-01 13:05:12 UTC

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.


https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m
https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/gdi/gdi.c#L723C1-L758
https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/core/orders.c#L1503-L1504
https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/include/freerdp/primary.h#L186-L196

Comment 4 errata-xmlrpc 2024-04-30 09:48:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2208 https://access.redhat.com/errata/RHSA-2024:2208

Note You need to log in before you can comment on or make changes to this bug.