Ubuntu Security Notice 5734-1 - It was discovered that FreeRDP incorrectly handled certain data lenghts. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that FreeRDP incorrectly handled certain data lenghts. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information.
9609ba4e931201e651dbbf463f2757f7ca9c25e428f66409e31b3745d1f946c1
==========================================================================
Ubuntu Security Notice USN-5734-1
November 22, 2022
freerdp2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in FreeRDP.
Software Description:
- freerdp2: RDP client for Windows Terminal Services
Details:
It was discovered that FreeRDP incorrectly handled certain data lenghts. A
malicious server could use this issue to cause FreeRDP clients to crash,
resulting in a denial of service, or possibly obtain sensitive information.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2022-39282, CVE-2022-39283)
It was discovered that FreeRDP incorrectly handled certain data lenghts. A
malicious server could use this issue to cause FreeRDP clients to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319,
CVE-2022-39320)
It was discovered that FreeRDP incorrectly handled certain path checks. A
malicious server could use this issue to cause FreeRDP clients to read
files outside of the shared directory. (CVE-2022-39347)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
libfreerdp-client2-2 2.8.1+dfsg1-0ubuntu1.1
libfreerdp-server2-2 2.8.1+dfsg1-0ubuntu1.1
Ubuntu 22.04 LTS:
libfreerdp-client2-2 2.6.1+dfsg1-3ubuntu2.3
libfreerdp-server2-2 2.6.1+dfsg1-3ubuntu2.3
Ubuntu 20.04 LTS:
libfreerdp-client2-2 2.2.0+dfsg1-0ubuntu0.20.04.4
libfreerdp-server2-2 2.2.0+dfsg1-0ubuntu0.20.04.4
Ubuntu 18.04 LTS:
libfreerdp-client2-2 2.2.0+dfsg1-0ubuntu0.18.04.4
libfreerdp-server2-2 2.2.0+dfsg1-0ubuntu0.18.04.4
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5734-1
CVE-2022-39282, CVE-2022-39283, CVE-2022-39316, CVE-2022-39317,
CVE-2022-39318, CVE-2022-39319, CVE-2022-39320, CVE-2022-39347
Package Information:
https://launchpad.net/ubuntu/+source/freerdp2/2.8.1+dfsg1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/freerdp2/2.6.1+dfsg1-3ubuntu2.3
https://launchpad.net/ubuntu/+source/freerdp2/2.2.0+dfsg1-0ubuntu0.20.04.4
https://launchpad.net/ubuntu/+source/freerdp2/2.2.0+dfsg1-0ubuntu0.18.04.4