In FreeRDP less than or equal to 2.1.2, an integer overflow exists due to missing input sanitation in rdpegfx channel. All FreeRDP clients are affected. The input rectangles from the server are not checked against local surface coordinates and blindly accepted. A malicious server can send data that will crash the client later on (invalid length arguments to a `memcpy`) This has been fixed in 2.2.0. As a workaround, stop using command line arguments /gfx, /gfx-h264 and /network:auto
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
21 Nov 2024, 05:04
Type | Values Removed | Values Added |
---|---|---|
References | () http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00010.html - Mailing List, Third Party Advisory | |
References | () https://github.com/FreeRDP/FreeRDP/blob/616af2d5b86dc24c7b3e89870dbcffd841d9a535/ChangeLog#L4 - Release Notes, Third Party Advisory | |
References | () https://github.com/FreeRDP/FreeRDP/pull/6382 - Patch, Third Party Advisory | |
References | () https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4r38-6hq7-j3j9 - Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html - Mailing List, Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y35HBHG2INICLSGCIKNAR7GCXEHQACQ/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOZLH35OJWIQLM7FYDXAP2EAUBDXE76V/ - | |
References | () https://usn.ubuntu.com/4481-1/ - Third Party Advisory |
07 Nov 2023, 03:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
20 Oct 2023, 19:26
Type | Values Removed | Values Added |
---|---|---|
First Time |
Debian debian Linux
Debian |
|
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:* |
|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html - Mailing List, Third Party Advisory |
07 Oct 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-680 |
Information
Published : 2020-07-27 18:15
Updated : 2024-11-21 05:04
NVD link : CVE-2020-15103
Mitre link : CVE-2020-15103
CVE.ORG link : CVE-2020-15103
JSON object : View
Products Affected
fedoraproject
- fedora
debian
- debian_linux
freerdp
- freerdp
opensuse
- leap
canonical
- ubuntu_linux