USN-5734-1: FreeRDP vulnerabilities

Releases

• Ubuntu 22.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM

Packages

• freerdp2 - RDP client for Windows Terminal Services

Details

It was discovered that FreeRDP incorrectly handled certain data lenghts. A
malicious server could use this issue to cause FreeRDP clients to crash,
resulting in a denial of service, or possibly obtain sensitive information.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2022-39282, CVE-2022-39283)

It was discovered that FreeRDP incorrectly handled certain data lenghts. A
malicious server could use this issue to cause FreeRDP clients to crash,
resulting in a denial of service, or possibly obtain sensitive information.
(CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319,
CVE-2022-39320)

It was discovered that FreeRDP incorrectly handled certain path checks. A
malicious server could use this issue to cause FreeRDP clients to read
files outside of the shared directory. (CVE-2022-39347)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.10

• libfreerdp-server2-2 - 2.8.1+dfsg1-0ubuntu1.1
• libfreerdp-client2-2 - 2.8.1+dfsg1-0ubuntu1.1

Ubuntu 22.04

• libfreerdp-server2-2 - 2.6.1+dfsg1-3ubuntu2.3
• libfreerdp-client2-2 - 2.6.1+dfsg1-3ubuntu2.3

Ubuntu 20.04

• libfreerdp-server2-2 - 2.2.0+dfsg1-0ubuntu0.20.04.4
• libfreerdp-client2-2 - 2.2.0+dfsg1-0ubuntu0.20.04.4

Ubuntu 18.04

• libfreerdp-server2-2 - 2.2.0+dfsg1-0ubuntu0.18.04.4
• libfreerdp-client2-2 - 2.2.0+dfsg1-0ubuntu0.18.04.4

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

• CVE-2022-39316
• CVE-2022-39283
• CVE-2022-39317
• CVE-2022-39282
• CVE-2022-39347
• CVE-2022-39318
• CVE-2022-39320
• CVE-2022-39319