{"id":"MGASA-2023-0318","summary":"Updated freerdp packages fix security vulnerabilities","details":"This issue affects Clients only:  Integer underflow leading to DOS (e.g.\nabort due to `WINPR_ASSERT` with default compilation flags). When an\ninsufficient blockLen is provided, and proper length validation is not\nperformed, an Integer Underflow occurs, leading to a Denial of Service\n(DOS) vulnerability. (CVE-2023-39350)\n\n\nAffected versions of FreeRDP are subject to a Null Pointer Dereference\nleading a crash in the RemoteFX (rfx) handling. Inside the\n`rfx_process_message_tileset` function, the program allocates tiles\nusing `rfx_allocate_tiles` for the number of numTiles. If the\ninitialization process of tiles is not completed for various reasons,\ntiles will have a NULL pointer. Which may be accessed in further\nprocessing and would cause a program crash. (CVE-2023-39351)\n\nAffected versions are subject to a missing offset validation leading to\nOut Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile-\u003equantIdxY`, `tile-\u003equantIdxCb`, and\n`tile-\u003equantIdxCr`. As a result crafted input can lead to an out of\nbounds read access which in turn will cause a crash. (CVE-2023-39353)\n\nAffected versions are subject to an Out-Of-Bounds Read in the\n`nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs\nbecause it processes `context-\u003ePlanes` without checking if it contains\ndata of sufficient length. Should an attacker be able to leverage this\nvulnerability they may be able to cause a crash. (CVE-2023-39354)\n\nAffected versions are subject to an Integer-Underflow leading to\nOut-Of-Bound Read in the `zgfx_decompress_segment` function. In the\ncontext of `CopyMemory`, it's possible to read data beyond the\ntransmitted packet range and likely cause a crash. (CVE-2023-40181)\n\nAffected versions are subject to an IntegerOverflow leading to\nOut-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function.\nThis issue affects FreeRDP based clients only. FreeRDP proxies are not\naffected as image decoding is not done by a proxy. (CVE-2023-40186)\n\nAffected versions are subject to an Out-Of-Bounds Read in the\n`general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because\nprocessing is done on the `in` variable without checking if it contains\ndata of sufficient length. Insufficient data for the `in` variable may\ncause errors or crashes. (CVE-2023-40188)\n\nAffected versions are subject to an Out-Of-Bounds Write in the\n`clear_decompress_bands_data` function in which there is no offset\nvalidation. Abuse of this vulnerability may lead to an out of bounds\nwrite. (CVE-2023-40567)\n\nAffected versions are subject to an Out-Of-Bounds Write in the\n`progressive_decompress` function. This issue is likely down to\nincorrect calculations of the `nXSrc` and `nYSrc` variables.\n(CVE-2023-40569)\n\nIn affected versions there is a Global-Buffer-Overflow in the\nncrush_decompress function. Feeding crafted input into this function can\ntrigger the overflow which has only been shown to cause a crash.\n(CVE-2023-40589)\n","modified":"2026-02-04T03:11:04.040368Z","published":"2023-11-15T11:35:09Z","related":["CVE-2023-39350","CVE-2023-39351","CVE-2023-39353","CVE-2023-39354","CVE-2023-40181","CVE-2023-40186","CVE-2023-40188","CVE-2023-40567","CVE-2023-40569","CVE-2023-40589"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2023-0318.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=32360"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-6401-1"}],"affected":[{"package":{"name":"freerdp","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/freerdp?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.0-1.2.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0318.json"}},{"package":{"name":"freerdp","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/freerdp?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.0-2.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2023-0318.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}