freerdp-2.11.7-1.el9_7.3
エラータID: AXSA:2026-391:09
リリース日:
2026/04/02 Thursday - 19:13
題名:
freerdp-2.11.7-1.el9_7.3
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- FreeRDP には、ヒープベースのバッファオーバーフローの問題が
あるため、リモートの攻撃者により、情報の漏洩、データ破壊、および
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-26955)
- FreeRDP には、メモリ領域の範囲外書き込みの問題があるため、
リモートの攻撃者により、任意のコードの実行を可能とする脆弱性が
存在します。(CVE-2026-26965)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-26955
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a malicious RDP server can trigger a heap buffer overflow in FreeRDP clients using the GDI surface pipeline (e.g., `xfreerdp`) by sending an RDPGFX ClearCodec surface command with an out-of-bounds destination rectangle. The `gdi_SurfaceCommand_ClearCodec()` handler does not call `is_within_surface()` to validate the command rectangle against the destination surface dimensions, allowing attacker-controlled `cmd->left`/`cmd->top` (and subcodec rectangle offsets) to reach image copy routines that write into `surface->data` without bounds enforcement. The OOB write corrupts an adjacent `gdiGfxSurface` struct's `codecs*` pointer with attacker-controlled pixel data, and corruption of `codecs*` is sufficient to reach an indirect function pointer call (`NSC_CONTEXT.decode` at `nsc.c:500`) on a subsequent codec command — full instruction pointer (RIP) control demonstrated in exploitability harness. Users should upgrade to version 3.23.0 to receive a patch.
CVE-2026-26965
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, in the RLE planar decode path, `planar_decompress_plane_rle()` writes into `pDstData` at `((nYDst+y) * nDstStep) + (4*nXDst) + nChannel` without verifying that `(nYDst+nSrcHeight)` fits in the destination height or that `(nXDst+nSrcWidth)` fits in the destination stride. When `TempFormat != DstFormat`, `pDstData` becomes `planar->pTempData` (sized for the desktop), while `nYDst` is only validated against the **surface** by `is_within_surface()`. A malicious RDP server can exploit this to perform a heap out-of-bounds write with attacker-controlled offset and pixel data on any connecting FreeRDP client. The OOB write reaches up to 132,096 bytes past the temp buffer end, and on the brk heap (desktop ≤ 128×128), an adjacent `NSC_CONTEXT` struct's `decode` function pointer is overwritten with attacker-controlled pixel data — control-flow–relevant corruption (function pointer overwritten) demonstrated under deterministic heap layout (`nsc->decode = 0xFF414141FF414141`). Version 3.23.0 fixes the vulnerability.
追加情報:
N/A
ダウンロード:
SRPMS
- freerdp-2.11.7-1.el9_7.3.src.rpm
MD5: 463a215d0268bcf7062462b65cd27977
SHA-256: 0cb9b6aaae4773ed6df9fc1bd77ae2293c837af1f7fd8278cb72155461c11ff0
Size: 7.01 MB
Asianux Server 9 for x86_64
- freerdp-2.11.7-1.el9_7.3.x86_64.rpm
MD5: bdd76c66300c9a5618afd340c4085224
SHA-256: 620e5b4edecfd988ce22cfbfcd702fbcec383727793a5cf3d2f5e2206ccf7a8b
Size: 110.85 kB - freerdp-devel-2.11.7-1.el9_7.3.i686.rpm
MD5: 5ba5b1c45c82a54f59306d712d9bc0ed
SHA-256: ffaf7fb3461c44b9dc9dabd3df606f5c79e3c70dc83787e679a86ec05a79650c
Size: 175.43 kB - freerdp-devel-2.11.7-1.el9_7.3.x86_64.rpm
MD5: da6cda66093f4f9331d2dcd43f1f30e4
SHA-256: a2cfb6fdb4742c3cde106f8fa7be78fff90a6b40c5bbdf1899f67a95a041100b
Size: 175.49 kB - freerdp-libs-2.11.7-1.el9_7.3.i686.rpm
MD5: a30d8605973582791a5da0a2a370b6de
SHA-256: 69fc95d0470286c22fef32dd0009a32cc0fb252ca85d6551dd8dc2e93dceb5df
Size: 849.20 kB - freerdp-libs-2.11.7-1.el9_7.3.x86_64.rpm
MD5: 001803da3743eef48555bb556df39ab7
SHA-256: fe71b70c670daeda71f0020aafb9b3b487390196d7f11deff0a9945e469f5e58
Size: 904.60 kB - libwinpr-2.11.7-1.el9_7.3.i686.rpm
MD5: c40200667642c92de65dc4bc91e7f1d5
SHA-256: cce76848a96df34222154fbdbcba2ab5cad00f14e5b5418b79e947aa70277c5a
Size: 340.42 kB - libwinpr-2.11.7-1.el9_7.3.x86_64.rpm
MD5: 13199683ec834d09ca5914b2adb7f479
SHA-256: 0f047d8094746dcc787e696c1a8b6fd03baa2126e73025579a53de0099543312
Size: 354.79 kB - libwinpr-devel-2.11.7-1.el9_7.3.i686.rpm
MD5: 37afe6bbd13e85d3563f4e151563ecc0
SHA-256: 85298d2ca2c90084a428def0dc74115cd8e1fe6c2f41b7a6f69bff5e9c409c0a
Size: 181.31 kB - libwinpr-devel-2.11.7-1.el9_7.3.x86_64.rpm
MD5: 14913cbda95dfa858d37c1eb13ce1266
SHA-256: 589c921a39c5173ae67c4a320c896b1fb2f3a94e36549ed1f644338e9a1646d8
Size: 181.28 kB
English