CVE-2023-39351

Name	CVE-2023-39351
Description	FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3606-1
Debian Bugs	1051638

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
freerdp2 (PTS)	bullseye	2.3.0+dfsg1-2+deb11u1	vulnerable
	bookworm	2.10.0+dfsg1-1	vulnerable
	sid, trixie	2.11.7+dfsg1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
freerdp2	source	buster	2.3.0+dfsg1-2+deb10u3		DLA-3606-1
freerdp2	source	(unstable)	2.11.2+dfsg1-1			1051638

Notes

[bookworm] - freerdp2 <no-dsa> (Minor issue)
[bullseye] - freerdp2 <no-dsa> (Minor issue)
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq
https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5 (2.11.0)
Introduced by: https://github.com/FreeRDP/FreeRDP/commit/579a13b054c306de36a24621763729ebf01797d3 (2.0.0)