Vulnerability CVE-2022-39316: Information

Description

FreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.

Severity: MEDIUM (5.7) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Published: Nov. 16, 2022
Modified: Jan. 12, 2024
Error type identifier: CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
freerdpsisyphus2.9.0-alt12.11.5-alt1ALT-PU-2022-3127-1310190Fixed
freerdpsisyphus_e2k2.9.0-alt12.11.5-alt1ALT-PU-2022-7162-1-Fixed
freerdpsisyphus_mipsel2.9.0-alt12.11.2-alt1ALT-PU-2022-7139-1-Fixed
freerdpsisyphus_riscv642.9.0-alt12.11.2-alt1ALT-PU-2022-7143-1-Fixed
freerdpp102.9.0-alt12.11.5-alt1ALT-PU-2022-3199-1310220Fixed
freerdpp10_e2k2.9.0-alt12.10.0-alt3ALT-PU-2022-7252-1-Fixed
freerdpp92.9.0-alt12.9.0-alt1ALT-PU-2022-3288-1310221Fixed
freerdpp9_mipsel2.9.0-alt12.9.0-alt1ALT-PU-2022-7394-1-Fixed
freerdpc10f12.9.0-alt12.11.5-alt1ALT-PU-2022-3199-1310220Fixed
freerdpc9f22.9.0-alt12.11.5-alt1ALT-PU-2022-3189-1310222Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
      End excliding
      2.9.0

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

      cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*