Source: freerdp2 Version: 2.3.0+dfsg1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for freerdp2. CVE-2021-41160[0]: | FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), | released under the Apache license. In affected versions a malicious | server might trigger out of bound writes in a connected client. | Connections using GDI or SurfaceCommands to send graphics updates to | the client might send `0` width/height or out of bound rectangles to | trigger out of bound writes. With `0` width or heigth the memory | allocation will be `0` but the missing bounds checks allow writing to | the pointer at this (not allocated) region. This issue has been | patched in FreeRDP 2.4.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-41160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41160 [1] https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg Please adjust the affected versions in the BTS as needed. Regards, Salvatore
