freerdp-2.1.1-5.0.1.el7.AXS7
エラータID: AXSA:2024-8644:02
リリース日:
2024/08/07 Wednesday - 10:09
題名:
freerdp-2.1.1-5.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- FreeRDP には、内部変数のチェック処理の不備に起因した
メモリ領域の範囲外書き込みの問題があるため、リモートの
攻撃者により、サービス拒否攻撃 (クラッシュの発生) を可能
とする脆弱性が存在します。(CVE-2023-39352)
- FreeRDP の libfreerdp/codec/rfx.c には、オフセットの
チェック処理の欠落に起因したメモリ領域の範囲外読み取り
の問題があるため、リモートの攻撃者により、細工された
入力を介して、サービス拒否攻撃 (クラッシュの発生) を可能
とする脆弱性が存在します。(CVE-2023-39353)
- FreeRDP の gdi_multi_opaque_rect() 関数には、内部変数の
チェック処理の欠落に起因したメモリ領域の範囲外読み取り
の問題があるため、リモートの攻撃者により、サービス拒否
攻撃 (クラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2023-39356)
- FreeRDP の zgfx_decompress_segment() 関数には、整数
アンダーフローに起因するメモリ領域の範囲外読み取りの問題
があるため、リモートの攻撃者により、サービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2023-40181)
- FreeRDP の gdi_CreateSurface() 関数には、整数オーバー
フローに起因するメモリ領域の範囲外書き込みの問題がある
ため、リモートの攻撃者により、メモリ破壊を可能とする
脆弱性が存在します。(CVE-2023-40186)
- FreeRDP の general_LumaToYUV444() 関数には、データ長
のチェック処理の不備に起因したメモリ領域の範囲外読み取り
の問題があるため、リモートの攻撃者により、サービス拒否
攻撃 (クラッシュの発生) を可能とする脆弱性が存在します。
(CVE-2023-40188)
- FreeRDP の clear_decompress_bands_data() 関数には、
オフセットの検証漏れに起因したメモリ領域の範囲外書き込み
の問題があるため、リモートの攻撃者により、メモリ破壊を
可能とする脆弱性が存在します。(CVE-2023-40567)
- FreeRDP の progressive_decompress() 関数には、内部変数
の計算不備に起因するメモリ領域の範囲外書き込みの問題が
あるため、リモートの攻撃者により、メモリ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-40569)
- FreeRDP のクライアント機能の
freerdp_bitmap_planar_context_reset() 関数には、整数オーバー
フローに起因するヒープ領域のバッファーオーバーフローの
問題があるため、リモートの攻撃者により、細工された
RDPGFX_RESET_GRAPHICS_PDU データを用いて小さすぎる
バッファを割り当てさせることを介して、サービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2024-22211)
- FreeRDP の RemoteFX 処理の rfx_process_message_tileset()
関数には、NULL ポインタデリファレンスの問題があるため、
リモートの攻撃者により、サービス拒否攻撃 (クラッシュの発生)
を可能とする脆弱性が存在します。(CVE-2023-39351)
- FreeRDP には、データ長のチェック処理の不備に起因した
整数アンダーフローの問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-39350)
- FreeRDP の ncrush_decompress() 関数には、バッファー
オーバーフローの問題があるため、リモートの攻撃者により、
細工された入力を介して、サービス拒否攻撃 (クラッシュの発生)
を可能とする脆弱性が存在します。(CVE-2023-40589)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-39350
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39351
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39352
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and `surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and `surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39353
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39356
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-40181
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-40186
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-40188
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-40567
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
CVE-2023-40569
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.
CVE-2023-40589
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2024-22211
FreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability.
FreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability.
追加情報:
N/A
ダウンロード:
Asianux Server 7 for x86_64
- freerdp-2.1.1-5.0.1.el7.AXS7.x86_64.rpm
MD5: c4a3e83601232a54e88405ba7ddbb9d1
SHA-256: 753e2ad596967cb889ae22eeec6675fa8f838e88c7e9a33af7b92a4f119c7552
Size: 104.96 kB - freerdp-libs-2.1.1-5.0.1.el7.AXS7.i686.rpm
MD5: 61cff460ea8111019409a9b2c25365a0
SHA-256: 5942c32aa644a247ac2da434fa47a675402715ffe64149e28d6f6c34218df1a8
Size: 813.71 kB - freerdp-libs-2.1.1-5.0.1.el7.AXS7.x86_64.rpm
MD5: e221e22e98d4e4b069648741bf2154ec
SHA-256: 7ae4fea7904f250ba22148dcba0ef20239113848c86933fe576a461d260153f1
Size: 857.15 kB - libwinpr-2.1.1-5.0.1.el7.AXS7.i686.rpm
MD5: dfac29374a0eb37e52c5653042246a62
SHA-256: b8dbbfbfe414e2ccbb730278ad99a2f46fa2713d1cea4d22f4038c6322a6e0cc
Size: 333.13 kB - libwinpr-2.1.1-5.0.1.el7.AXS7.x86_64.rpm
MD5: 01841d9787f63d64f9873ecb267ce1b3
SHA-256: 773fd42c553e87121e5582b4660a66b636af1d2e8f9dc958eeb3645fe3330c03
Size: 346.41 kB - libwinpr-devel-2.1.1-5.0.1.el7.AXS7.i686.rpm
MD5: 09bd207f0f8d2fc2f10388b8ef782c99
SHA-256: bf17c5ebc537ba064756768ecbbe3dbf0c7b2fa8697a25e70ab68f2942c03cd5
Size: 168.69 kB - libwinpr-devel-2.1.1-5.0.1.el7.AXS7.x86_64.rpm
MD5: 509f66846a01d59923f80ecd106464f5
SHA-256: fb8761b5ed9b619777f709cfdbbb04e15faad8b7f512ea89c962d49e6683c764
Size: 168.67 kB
English