In FreeRDP greater than 1.2 and before 2.0.0, a double free in update_read_cache_bitmap_v3_order crashes the client application if corrupted data from a manipulated server is parsed. This has been patched in 2.0.0.
Weakness
The product calls free() twice on the same memory address.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freerdp | Freerdp | 1.2.0 (excluding) | 2.0.0 (excluding) |
| Red Hat Enterprise Linux 7 | RedHat | freerdp-0:2.1.1-2.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | freerdp-2:2.1.1-1.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | vinagre-0:3.22.0-23.el8 | * |
| Freerdp | Ubuntu | trusty | * |
| Freerdp2 | Ubuntu | bionic | * |
| Freerdp2 | Ubuntu | eoan | * |
| Freerdp2 | Ubuntu | esm-infra/bionic | * |
| Freerdp2 | Ubuntu | esm-infra/focal | * |
| Freerdp2 | Ubuntu | focal | * |
| Freerdp2 | Ubuntu | trusty | * |
Potential Mitigations
References
- https://github.com/FreeRDP/FreeRDP/commit/67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8
- https://github.com/FreeRDP/FreeRDP/issues/6013
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqh-p732-6x2w
- https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html
- https://usn.ubuntu.com/4379-1/
- https://github.com/FreeRDP/FreeRDP/commit/67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8
- https://github.com/FreeRDP/FreeRDP/issues/6013
- https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqh-p732-6x2w
- https://lists.debian.org/debian-lts-announce/2023/10/msg00008.html
- https://usn.ubuntu.com/4379-1/