Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1671359 (CVE-2018-8786) - CVE-2018-8786 freerdp: Integer truncation leading to heap-based buffer overflow in update_read_bitmap_update() function
Summary: CVE-2018-8786 freerdp: Integer truncation leading to heap-based buffer overfl...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-8786
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1671370 1684152 1684153 1684154
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-31 13:30 UTC by Andrej Nemec
Modified: 2020-04-27 16:39 UTC (History)
6 users (show)

Fixed In Version: freerdp 2.0.0-rc4
Clone Of:
Environment:
Last Closed: 2019-06-10 10:46:55 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0697 0 None None None 2019-04-02 11:37:04 UTC

Description Andrej Nemec 2019-01-31 13:30:27 UTC
FreeRDP prior to version 2.0.0-rc4 contains an Integer Truncation that leads to a Heap-Based Buffer Overflow in function update_read_bitmap_update() and results in a memory corruption.

Upstream patch:

https://github.com/FreeRDP/FreeRDP/commit/445a5a42c500ceb80f8fa7f2c11f3682538033f3

Comment 1 Andrej Nemec 2019-01-31 13:44:16 UTC
Created freerdp tracking bugs for this issue:

Affects: epel-6 [bug 1671370]

Comment 3 Riccardo Schirone 2019-02-28 15:03:01 UTC
The attacker needs to either hijack the communication between a FreeRDP client and a valid server or he needs to compromise a server for the attack to be successful.

Comment 4 Riccardo Schirone 2019-02-28 15:04:02 UTC
The memory corruption in update_read_bitmap_update() can be used to make the FreeRDP application crash or to execute arbitrary code in the context of the client system.

Comment 8 Riccardo Schirone 2019-02-28 15:09:56 UTC
Created freerdp tracking bugs for this issue:

Affects: fedora-all [bug 1684154]

Comment 9 errata-xmlrpc 2019-04-02 11:37:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0697 https://access.redhat.com/errata/RHSA-2019:0697


Note You need to log in before you can comment on or make changes to this bug.