Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39354: Out-Of-Bounds Read in nsc_rle_decompress_data

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the nsc_rle_decompress_data function. The Out-Of-Bounds Read occurs because it processes context->Planes without checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
#vulnerability#mac#apache#c++#chrome#ssl

Affected versions

<= 2.10.0 , <= 3.0.0-beta2

Patched versions

2.11.0, 3.0.0-beta3

Summary

Out-Of-Bounds Read in nsc_rle_decompress_data

Affected

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

Details

static BOOL nsc_stream_initialize(NSC_CONTEXT* context, wStream* s)

{

int i;

if (!Stream_CheckAndLogRequiredLength(TAG, s, 20))

return FALSE;

for (i = 0; i < 4; i++)

Stream_Read_UINT32(s, context->PlaneByteCount[i]);

Stream_Read_UINT8(s, context->ColorLossLevel); /* ColorLossLevel (1 byte) */

Stream_Read_UINT8(s, context->ChromaSubsamplingLevel); /* ChromaSubsamplingLevel (1 byte) */

Stream_Seek(s, 2); /* Reserved (2 bytes) */

context->Planes = Stream_Pointer(s);

return TRUE;

}

context->Planes is assigned in the nsc_stream_initialize function.

static BOOL nsc_rle_decompress_data(NSC_CONTEXT* context)

{

UINT16 i;

BYTE* rle;

UINT32 planeSize;

UINT32 originalSize;

if (!context)

return FALSE;

rle = context->Planes;

for (i = 0; i < 4; i++)

{

originalSize = context->OrgByteCount[i];

planeSize = context->PlaneByteCount[i];

if (planeSize == 0)

{

if (context->priv->PlaneBuffersLength < originalSize)

return FALSE;

FillMemory(context->priv->PlaneBuffers[i], originalSize, 0xFF);

}

else if (planeSize < originalSize)

{

if (!nsc_rle_decode(rle, context->priv->PlaneBuffers[i],

context->priv->PlaneBuffersLength, originalSize))

return FALSE;

}

else

{

if (context->priv->PlaneBuffersLength < originalSize)

return FALSE;

CopyMemory(context->priv->PlaneBuffers[i], rle, originalSize);

}

rle += planeSize;

}

return TRUE;

}

In the nsc_rle_decompress_data function, Out-Of-Bounds Read occurs because it processes context->Planes without checking if it contains data of sufficient length.

PoC

Insufficient data for context->Planes may cause errors or crashes.

Impact

Out-Of-Bounds Read

Asan

==18171==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000080e3a at pc 0x000102ccb778 bp 0x00016f6f5320 sp 0x00016f6f4ad0
READ of size 20 at 0x616000080e3a thread T5
    #0 0x102ccb774 in __asan_memcpy+0x37c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f774) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101c03914 in nsc_rle_decompress_data+0x3bc (libfreerdp3.3.0.0.dylib:arm64+0x1b914) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #2 0x101c02b60 in nsc_process_message+0x3f8 (libfreerdp3.3.0.0.dylib:arm64+0x1ab60) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #3 0x101c3f3e8 in clear_decompress_nscodec+0xf0 (libfreerdp3.3.0.0.dylib:arm64+0x573e8) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #4 0x101c3dee8 in clear_decompress_subcodecs_data+0x1008 (libfreerdp3.3.0.0.dylib:arm64+0x55ee8) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #5 0x101c3851c in clear_decompress+0x11a0 (libfreerdp3.3.0.0.dylib:arm64+0x5051c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #6 0x101d44ba0 in gdi_SurfaceCommand_ClearCodec+0x6fc (libfreerdp3.3.0.0.dylib:arm64+0x15cba0) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #7 0x101d3bf20 in gdi_SurfaceCommand+0x564 (libfreerdp3.3.0.0.dylib:arm64+0x153f20) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #8 0x100f26118 in rdpgfx_decode+0x288 (libfreerdp-client3.3.0.0.dylib:arm64+0xaa118) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #9 0x100f0fafc in rdpgfx_recv_wire_to_surface_1_pdu+0x1760 (libfreerdp-client3.3.0.0.dylib:arm64+0x93afc) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #10 0x100f0d0e4 in rdpgfx_recv_pdu+0x5d4 (libfreerdp-client3.3.0.0.dylib:arm64+0x910e4) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #11 0x100f0bfd4 in rdpgfx_on_data_received+0x448 (libfreerdp-client3.3.0.0.dylib:arm64+0x8ffd4) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #12 0x100e8f428 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13428) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #13 0x100e8f294 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13294) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #14 0x100e8bc7c in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc7c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #15 0x100e89ef0 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef0) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #16 0x100e89934 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd934) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #17 0x100e8861c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc61c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #18 0x101e3bc98 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x253c98) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #19 0x101eed664 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x305664) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #20 0x101e9d74c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b574c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #21 0x101e9c50c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b450c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #22 0x101e97d74 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2afd74) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #23 0x101e9689c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ae89c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #24 0x101ebd088 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d5088) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #25 0x101e9867c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b067c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #26 0x101e33454 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24b454) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #27 0x101e33b24 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24bb24) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #28 0x100a97130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
    #29 0x102745320 in thread_launcher thread.c:520
    #30 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #31 0x2a5800019240ed9c  (<unknown module>)

0x616000080e3a is located 2708 bytes after 550-byte region [0x616000080180,0x6160000803a6)
allocated by thread T5 here:
    #0 0x102ccd5b0 in wrap_malloc+0x8c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x515b0) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x101c0d188 in aligned_zgfx_malloc+0x18 (libfreerdp3.3.0.0.dylib:arm64+0x25188) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #2 0x101c0ad88 in zgfx_decompress+0x4ac (libfreerdp3.3.0.0.dylib:arm64+0x22d88) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #3 0x100f0bdbc in rdpgfx_on_data_received+0x230 (libfreerdp-client3.3.0.0.dylib:arm64+0x8fdbc) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #4 0x100e8f428 in dvcman_call_on_receive+0x164 (libfreerdp-client3.3.0.0.dylib:arm64+0x13428) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #5 0x100e8f294 in dvcman_receive_channel_data+0x440 (libfreerdp-client3.3.0.0.dylib:arm64+0x13294) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #6 0x100e8bc7c in drdynvc_process_data+0x2c8 (libfreerdp-client3.3.0.0.dylib:arm64+0xfc7c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #7 0x100e89ef0 in drdynvc_order_recv+0x334 (libfreerdp-client3.3.0.0.dylib:arm64+0xdef0) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #8 0x100e89934 in drdynvc_virtual_channel_event_data_received+0x498 (libfreerdp-client3.3.0.0.dylib:arm64+0xd934) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #9 0x100e8861c in drdynvc_virtual_channel_open_event_ex+0x1ac (libfreerdp-client3.3.0.0.dylib:arm64+0xc61c) (BuildId: 776adf67bfdc356180bc0f4db402691032000000200000000100000000000d00)
    #10 0x101e3bc98 in freerdp_channels_data+0x5cc (libfreerdp3.3.0.0.dylib:arm64+0x253c98) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #11 0x101eed664 in freerdp_channel_process+0x6e0 (libfreerdp3.3.0.0.dylib:arm64+0x305664) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #12 0x101e9d74c in rdp_recv_tpkt_pdu+0x11e8 (libfreerdp3.3.0.0.dylib:arm64+0x2b574c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #13 0x101e9c50c in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b450c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #14 0x101e97d74 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2afd74) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #15 0x101e9689c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2ae89c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #16 0x101ebd088 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d5088) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #17 0x101e9867c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b067c) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #18 0x101e33454 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24b454) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #19 0x101e33b24 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24bb24) (BuildId: dfac08ef9e293206a0f10afcf243820f32000000200000000100000000000d00)
    #20 0x100a97130 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13130) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
    #21 0x102745320 in thread_launcher thread.c:520
    #22 0x192413fa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
    #23 0x2a5800019240ed9c  (<unknown module>)

Thread T5 created by T0 here:
    #0 0x102cc691c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
    #1 0x1027423a0 in winpr_StartThread thread.c:568
    #2 0x102741a74 in CreateThread thread.c:650
    #3 0x100a96894 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12894) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
    #4 0x100a95ce4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x11ce4) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
    #5 0x100a89bbc in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x5bbc) (BuildId: 3a4e43fe04f43036ab9335815490e83b32000000200000000100000000000d00)
    #6 0x1009c678c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
    #7 0x1924e717c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
    #8 0x8253800192582ee8  (<unknown module>)
    #9 0x640000192582e30  (<unknown module>)
    #10 0x13e0001924b84c8  (<unknown module>)
    #11 0xb048001934168f0  (<unknown module>)
    #12 0xcc04800195719154  (<unknown module>)
    #13 0x140f000195718f04  (<unknown module>)
    #14 0x655f800195716fa0  (<unknown module>)
    #15 0xdd07000195716b9c  (<unknown module>)
    #16 0x8c5c800193440b60  (<unknown module>)
    #17 0xbd580001934409c0  (<unknown module>)
    #18 0x5e2f800198819514  (<unknown module>)
    #19 0x731e800198818e40  (<unknown module>)
    #20 0x2d61000198811f14  (<unknown module>)
    #21 0xa41d00019bd4ab40  (<unknown module>)
    #22 0x4a66800195712044  (<unknown module>)
    #23 0xc87e800195710edc  (<unknown module>)
    #24 0x6e57000195705340  (<unknown module>)
    #25 0xab4f8001956dc790  (<unknown module>)
    #26 0xc06a0001009c6020  (<unknown module>)
    #27 0x1920bbf24  (<unknown module>)
    #28 0xe81f7ffffffffffc  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4f774) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00) in __asan_memcpy+0x37c
Shadow bytes around the buggy address:
  0x616000080b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000080c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000080c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000080d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000080d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x616000080e00: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x616000080e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000080f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000080f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000081000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x616000081080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18171==ABORTING
[16:29:49:388] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Abort trap: 6' [6]
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0   libwinpr3.3.0.0.dylib               0x00000001026a3558 winpr_execinfo_backtrace + 336
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1   libwinpr3.3.0.0.dylib               0x000000010269d090 winpr_backtrace + 24
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2   libwinpr3.3.0.0.dylib               0x000000010269d3ec winpr_log_backtrace_ex + 304
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3   libwinpr3.3.0.0.dylib               0x000000010269d2b0 winpr_log_backtrace + 44
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4   libfreerdp3.3.0.0.dylib             0x0000000101ca42c8 fatal_handler + 460
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5   libsystem_platform.dylib            0x0000000192442a24 _sigtramp + 56
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6   libsystem_pthread.dylib             0x0000000192413c28 pthread_kill + 288
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7   libsystem_c.dylib                   0x0000000192321ae8 abort + 180
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8   libclang_rt.asan_osx_dynamic.dylib  0x0000000102cf09b8 _ZN11__sanitizer6AtexitEPFvvE + 0
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9   libclang_rt.asan_osx_dynamic.dylib  0x0000000102cf0124 _ZN11__sanitizer22SetCheckUnwindCallbackEPFvvE + 0
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10  libclang_rt.asan_osx_dynamic.dylib  0x0000000102cd5658 _ZN6__asan16ErrorDescription5PrintEv + 0
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11  libclang_rt.asan_osx_dynamic.dylib  0x0000000102cd499c _ZN6__asan18ReportGenericErrorEmmmmbmjb + 1452
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12  libclang_rt.asan_osx_dynamic.dylib  0x0000000102ccb798 __asan_memcpy + 928
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13  libfreerdp3.3.0.0.dylib             0x0000000101c03918 nsc_rle_decompress_data + 960
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14  libfreerdp3.3.0.0.dylib             0x0000000101c02b64 nsc_process_message + 1020
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15  libfreerdp3.3.0.0.dylib             0x0000000101c3f3ec clear_decompress_nscodec + 244
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16  libfreerdp3.3.0.0.dylib             0x0000000101c3deec clear_decompress_subcodecs_data + 4108
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17  libfreerdp3.3.0.0.dylib             0x0000000101c38520 clear_decompress + 4516
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18  libfreerdp3.3.0.0.dylib             0x0000000101d44ba4 gdi_SurfaceCommand_ClearCodec + 1792
[16:29:49:389] [18171:6f6f7000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19  libfreerdp3.3.0.0.dylib             0x0000000101d3bf24 gdi_SurfaceCommand + 1384

Related news

Gentoo Linux Security Advisory 202401-16

Gentoo Linux Security Advisory 202401-16 - Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution. Versions greater than or equal to 2.11.0 are affected.

Ubuntu Security Notice USN-6401-1

Ubuntu Security Notice 6401-1 - It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly obtain sensitive information. It was discovered that FreeRDP did not properly manage certain inputs. A malicious server could use this issue to cause FreeRDP clients to crash, resulting in a denial of service, or possibly execute arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907