CVE-2022-39283

NameCVE-2022-39283
DescriptionFreeRDP is a free remote desktop protocol library and clients. All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected. This issue has been patched in version 2.8.1. If you cannot upgrade do not use the `/video` switch.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1021659

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freerdp2 (PTS)buster2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2vulnerable
bullseye2.3.0+dfsg1-2+deb11u1vulnerable
bookworm, sid2.9.0+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freerdp2source(unstable)2.8.1+dfsg1-11021659

Notes

[bullseye] - freerdp2 <no-dsa> (Minor issue)
[buster] - freerdp2 <no-dsa> (Minor issue)
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh

Search for package or bug name: Reporting problems