Bug 819534 (CVE-2021-41159, CVE-2021-41160)

Summary:	<net-misc/freerdp-2.4.1: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	floppym
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	820050
Bug Blocks:

Description John Helmert III archtester

2021-10-22 21:54:29 UTC

CVE-2021-41159 (https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq):

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. All FreeRDP clients prior to version 2.4.1 using gateway connections (`/gt:rpc`) fail to validate input data. A malicious gateway might allow client memory to be written out of bounds. This issue has been resolved in version 2.4.1. If you are unable to update then use `/gt:http` rather than /gt:rdp connections if possible or use a direct connection without a gateway.

CVE-2021-41160 (https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg):

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. This issue has been patched in FreeRDP 2.4.1.


Please bump.

Comment 1 Sam James archtester

2021-10-24 04:58:43 UTC

If you can, please remember to file/tag security bugs if you can when bumping or if you notice CVEs in the release notes

Please file a stablereq when ready

Comment 2 Mike Gilbert gentoo-dev

2021-10-24 06:50:11 UTC

There's a compiler warning I would like to resolve before stabilizing 2.4.1.

https://github.com/FreeRDP/FreeRDP/issues/7396

Comment 3 John Helmert III archtester

2021-10-28 19:54:54 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2021-10-31 21:41:21 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9e5d89979dafa0a40c504d193c430b42785c5e6

commit a9e5d89979dafa0a40c504d193c430b42785c5e6
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2021-10-31 21:40:41 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2021-10-31 21:40:41 +0000

    net-misc/freerdp: drop 2.3.2
    
    Bug: https://bugs.gentoo.org/819534
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 net-misc/freerdp/Manifest                          |   1 -
 net-misc/freerdp/files/freerdp-2-openssl-3.0.patch |  61 ----------
 ...dp-2.4.0-TestUnicodeConversion-big-endian.patch |  28 -----
 net-misc/freerdp/freerdp-2.3.2.ebuild              | 123 ---------------------
 4 files changed, 213 deletions(-)

Comment 5 John Helmert III archtester

2022-10-21 00:47:49 UTC

GLSA request filed.

Comment 6 Larry the Git Cow gentoo-dev

2022-10-31 01:42:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=70650b727185312fc1ae0b5c29dbfcd482232bdb

commit 70650b727185312fc1ae0b5c29dbfcd482232bdb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:17:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-24 ] FreeRDP: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/819534
    Bug: https://bugs.gentoo.org/842231
    Bug: https://bugs.gentoo.org/876905
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-24.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

Comment 7 John Helmert III archtester

2022-10-31 02:18:42 UTC

GLSA released, all done!