PRIOn knowledge basePRION:CVE-2023-40569

HistoryAug 31, 2023 - 10:15 p.m.

Design/Logic Flaw

2023-08-3122:15:00

PRIOn knowledge base

www.prio-n.com

freerdp

remote desktop protocol

out-of-bounds write

vulnerability

patch

upgrade

progressive_decompress

nxsrc

nysrc

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.0%

JSON

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the progressive_decompress function. This issue is likely down to incorrect calculations of the nXSrc and nYSrc variables. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.

CPENameOperatorVersion
debian_linuxeq10.0
fedoraeq37
fedoraeq38
fedoraeq39
freerdpeq3.0.0 beta1
freerdpeq3.0.0 beta2
freerdplt2.11.0

Name	Operator	Version
debian_linux	eq	10.0
fedora	eq	37
fedora	eq	38
fedora	eq	39
freerdp	eq	3.0.0 beta1
freerdp	eq	3.0.0 beta2
freerdp	lt	2.11.0

References

github.com/FreeRDP/FreeRDP/blob/5be5553e0da72178a4b94cc1ffbdace9ceb153e5/libfreerdp/codec/progressive.c

github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hm8c-rcjg-c8qp

lists.debian.org/debian-lts-announce/2023/10/msg00008.html

lists.fedoraproject.org/archives/list/[email protected]/message/A6LLDAPEXRDJOM3PREDDD267SSNT77DP/

lists.fedoraproject.org/archives/list/[email protected]/message/IHMTGKCZXJPQOR5ZD2I4GPDNP2DKRXMF/

lists.fedoraproject.org/archives/list/[email protected]/message/OH2ATH2BKDNKCJAU4WPPXK4SHLE3UJUV/

security.gentoo.org/glsa/202401-16