Name | CVE-2024-32659 |
Description | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1069752, 1072112 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
freerdp2 (PTS) | bullseye | 2.3.0+dfsg1-2+deb11u1 | vulnerable |
| bookworm | 2.10.0+dfsg1-1 | vulnerable |
| sid, trixie | 2.11.7+dfsg1-6 | fixed |
freerdp3 (PTS) | sid, trixie | 3.10.2+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - freerdp2 <no-dsa> (Minor issue)
[bullseye] - freerdp2 <no-dsa> (Minor issue)
[buster] - freerdp2 <postponed> (Minor issue)
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jgr-7r33-x87w
Fixed by: https://github.com/FreeRDP/FreeRDP/commit/6430945ce003a5e24d454d8566f54aae1b6b617b (3.5.1)
Introduced by: https://github.com/FreeRDP/FreeRDP/commit/c697941de2b7062821e004411ec18ea71e50a30d (1.2.0-beta1+android7)