OESA-2022-2112
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-2112
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2022-2112.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/OESA-2022-2112
- Upstream
- Published
- 2022-11-25T11:04:38Z
- Modified
- 2025-08-12T05:14:49.774158Z
- Summary
- freerdp security update
- Details
-
FreeRDP is a client implementation of the Remote Desktop Protocol (RDP) that follows Microsoft's open specifications. This package provides the client applications xfreerdp and wlfreerdp.
Security Fix(es):
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for
drivechannel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the/drive,/drivesor+home-driveredirection switch.(CVE-2022-39347)FreeRDP is a free remote desktop protocol library and clients. In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. This issue has been addressed in the 2.9.0 release. Users are advised to upgrade.(CVE-2022-39316)
FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in the
urbdrcchannel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the/usbredirection switch.(CVE-2022-39319)FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input length validation in
drivechannel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the drive redirection channel - command line options/drive,+drivesor+home-drive.(CVE-2022-41877)FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing input validation in
urbdrcchannel. A malicious server can trick a FreeRDP based client to crash with division by zero. This issue has been addressed in version 2.9.0. All users are advised to upgrade. Users unable to upgrade should not use the/usbredirection switch.(CVE-2022-39318) - Database specific
{ "severity": "Critical" }- References
-
- https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2112
- https://nvd.nist.gov/vuln/detail/CVE-2022-39347
- https://nvd.nist.gov/vuln/detail/CVE-2022-39316
- https://nvd.nist.gov/vuln/detail/CVE-2022-39319
- https://nvd.nist.gov/vuln/detail/CVE-2022-41877
- https://nvd.nist.gov/vuln/detail/CVE-2022-39318
Affected packages
openEuler:20.03-LTS-SP1 / freerdp
Package
- Name
- freerdp
- Purl
- pkg:rpm/openEuler/freerdp&distro=openEuler-20.03-LTS-SP1
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.8.1-2.oe1
Ecosystem specific
{
"aarch64": [
"freerdp-2.8.1-2.oe1.aarch64.rpm",
"freerdp-help-2.8.1-2.oe1.aarch64.rpm",
"libwinpr-2.8.1-2.oe1.aarch64.rpm",
"freerdp-debugsource-2.8.1-2.oe1.aarch64.rpm",
"freerdp-debuginfo-2.8.1-2.oe1.aarch64.rpm",
"libwinpr-devel-2.8.1-2.oe1.aarch64.rpm",
"freerdp-devel-2.8.1-2.oe1.aarch64.rpm"
],
"x86_64": [
"freerdp-help-2.8.1-2.oe1.x86_64.rpm",
"freerdp-devel-2.8.1-2.oe1.x86_64.rpm",
"libwinpr-devel-2.8.1-2.oe1.x86_64.rpm",
"freerdp-2.8.1-2.oe1.x86_64.rpm",
"freerdp-debuginfo-2.8.1-2.oe1.x86_64.rpm",
"freerdp-debugsource-2.8.1-2.oe1.x86_64.rpm",
"libwinpr-2.8.1-2.oe1.x86_64.rpm"
],
"src": [
"freerdp-2.8.1-2.oe1.src.rpm"
]
}
openEuler:20.03-LTS-SP3 / freerdp
Package
- Name
- freerdp
- Purl
- pkg:rpm/openEuler/freerdp&distro=openEuler-20.03-LTS-SP3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.8.1-2.oe1
Ecosystem specific
{
"aarch64": [
"freerdp-2.8.1-2.oe1.aarch64.rpm",
"libwinpr-devel-2.8.1-2.oe1.aarch64.rpm",
"freerdp-debuginfo-2.8.1-2.oe1.aarch64.rpm",
"libwinpr-2.8.1-2.oe1.aarch64.rpm",
"freerdp-debugsource-2.8.1-2.oe1.aarch64.rpm",
"freerdp-help-2.8.1-2.oe1.aarch64.rpm",
"freerdp-devel-2.8.1-2.oe1.aarch64.rpm"
],
"x86_64": [
"freerdp-debugsource-2.8.1-2.oe1.x86_64.rpm",
"freerdp-devel-2.8.1-2.oe1.x86_64.rpm",
"freerdp-2.8.1-2.oe1.x86_64.rpm",
"freerdp-debuginfo-2.8.1-2.oe1.x86_64.rpm",
"libwinpr-2.8.1-2.oe1.x86_64.rpm",
"libwinpr-devel-2.8.1-2.oe1.x86_64.rpm",
"freerdp-help-2.8.1-2.oe1.x86_64.rpm"
],
"src": [
"freerdp-2.8.1-2.oe1.src.rpm"
]
}
openEuler:22.03-LTS / freerdp
Package
- Name
- freerdp
- Purl
- pkg:rpm/openEuler/freerdp&distro=openEuler-22.03-LTS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.8.1-2.oe2203
Ecosystem specific
{
"aarch64": [
"freerdp-devel-2.8.1-2.oe2203.aarch64.rpm",
"freerdp-debugsource-2.8.1-2.oe2203.aarch64.rpm",
"freerdp-help-2.8.1-2.oe2203.aarch64.rpm",
"libwinpr-2.8.1-2.oe2203.aarch64.rpm",
"freerdp-debuginfo-2.8.1-2.oe2203.aarch64.rpm",
"freerdp-2.8.1-2.oe2203.aarch64.rpm",
"libwinpr-devel-2.8.1-2.oe2203.aarch64.rpm"
],
"x86_64": [
"freerdp-devel-2.8.1-2.oe2203.x86_64.rpm",
"freerdp-debugsource-2.8.1-2.oe2203.x86_64.rpm",
"freerdp-2.8.1-2.oe2203.x86_64.rpm",
"freerdp-debuginfo-2.8.1-2.oe2203.x86_64.rpm",
"libwinpr-2.8.1-2.oe2203.x86_64.rpm",
"freerdp-help-2.8.1-2.oe2203.x86_64.rpm",
"libwinpr-devel-2.8.1-2.oe2203.x86_64.rpm"
],
"src": [
"freerdp-2.8.1-2.oe2203.src.rpm"
]
}