Vulnerability CVE-2022-39320: Information

Description

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP may attempt integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.

Severity: MEDIUM (4.6) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Published: Nov. 16, 2022
Modified: Jan. 12, 2024
Error type identifier: CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
freerdpsisyphus2.9.0-alt12.11.5-alt1ALT-PU-2022-3127-1310190Fixed
freerdpsisyphus_e2k2.9.0-alt12.11.5-alt1ALT-PU-2022-7162-1-Fixed
freerdpsisyphus_mipsel2.9.0-alt12.11.2-alt1ALT-PU-2022-7139-1-Fixed
freerdpsisyphus_riscv642.9.0-alt12.11.2-alt1ALT-PU-2022-7143-1-Fixed
freerdpp102.9.0-alt12.11.5-alt1ALT-PU-2022-3199-1310220Fixed
freerdpp10_e2k2.9.0-alt12.10.0-alt3ALT-PU-2022-7252-1-Fixed
freerdpp92.9.0-alt12.9.0-alt1ALT-PU-2022-3288-1310221Fixed
freerdpp9_mipsel2.9.0-alt12.9.0-alt1ALT-PU-2022-7394-1-Fixed
freerdpc10f12.9.0-alt12.11.5-alt1ALT-PU-2022-3199-1310220Fixed
freerdpc9f22.9.0-alt12.11.5-alt1ALT-PU-2022-3189-1310222Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:freerdp:freerdp:*:*:*:*:*:*:*:*
      End excliding
      2.9.0

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

      cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*