SUSE-SU-2023:4893-1: moderate: Security update for freerdp
# Security update for freerdp Announcement ID: SUSE-SU-2023:4893-1 Rating: moderate References: * bsc#1214856 * bsc#1214857 * bsc#1214858 * bsc#1214859 * bsc#1214860 * bsc#1214862 * bsc#1214863 * bsc#1214864 * bsc#1214866 * bsc#1214867 * bsc#1214868 * bsc#1214869 * bsc#1214870 * bsc#1214871 * bsc#1214872 Cross-References: * CVE-2023-39350 * CVE-2023-39351 * CVE-2023-39352 * CVE-2023-39353 * CVE-2023-39354 * CVE-2023-39356 * CVE-2023-40181 * CVE-2023-40186 * CVE-2023-40188 * CVE-2023-40567 * CVE-2023-40569 * CVE-2023-40574 * CVE-2023-40575 * CVE-2023-40576 * CVE-2023-40589 CVSS scores: * CVE-2023-39350 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39350 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39351 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39351 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39352 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39352 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39353 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39353 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39354 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39354 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39356 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-39356 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40181 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40181 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40186 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40186 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40188 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40188 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40567 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40567 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40569 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40569 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40574 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40574 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L * CVE-2023-40575 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40575 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40576 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40576 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L * CVE-2023-40589 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L * CVE-2023-40589 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Workstation Extension 15 SP4 * SUSE Linux Enterprise Workstation Extension 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 * SUSE Package Hub 15 15-SP4 * SUSE Package Hub 15 15-SP5 An update that solves 15 vulnerabilities can now be installed. ## Description: This update for freerdp fixes the following issues: * CVE-2023-39350: Fixed incorrect offset calculation leading to DoS (bsc#1214856). * CVE-2023-39351: Fixed Null Pointer Dereference leading DoS in RemoteFX (bsc#1214857). * CVE-2023-39352: Fixed Invalid offset validation leading to Out Of Bound Write (bsc#1214858). * CVE-2023-39353: Fixed Missing offset validation leading to Out Of Bound Read (bsc#1214859). * CVE-2023-39354: Fixed Out-Of-Bounds Read in nsc_rle_decompress_data (bsc#1214860). * CVE-2023-39356: Fixed Missing offset validation leading to Out-of-Bounds Read in gdi_multi_opaque_rect (bsc#1214862). * CVE-2023-40181: Fixed Integer-Underflow leading to Out-Of-Bound Read in zgfx_decompress_segment (bsc#1214863). * CVE-2023-40186: Fixed IntegerOverflow leading to Out-Of-Bound Write Vulnerability in gdi_CreateSurface (bsc#1214864). * CVE-2023-40188: Fixed Out-Of-Bounds Read in general_LumaToYUV444 (bsc#1214866). * CVE-2023-40567: Fixed Out-Of-Bounds Write in clear_decompress_bands_data (bsc#1214867). * CVE-2023-40569: Fixed Out-Of-Bounds Write in progressive_decompress (bsc#1214868). * CVE-2023-40574: Fixed Out-Of-Bounds Write in general_YUV444ToRGB_8u_P3AC4R_BGRX (bsc#1214869). * CVE-2023-40575: Fixed Out-Of-Bounds Read in general_YUV444ToRGB_8u_P3AC4R_BGRX (bsc#1214870). * CVE-2023-40576: Fixed Out-Of-Bounds Read in RleDecompress (bsc#1214871). * CVE-2023-40589: Fixed Global-Buffer-Overflow in ncrush_decompress (bsc#1214872). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4893=1 SUSE-2023-4893=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4893=1 * SUSE Package Hub 15 15-SP4 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-4893=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-4893=1 * SUSE Linux Enterprise Workstation Extension 15 SP4 zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2023-4893=1 * SUSE Linux Enterprise Workstation Extension 15 SP5 zypper in -t patch SUSE-SLE-Product-WE-15-SP5-2023-4893=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586) * libwinpr2-2.4.0-150400.3.23.1 * freerdp-server-debuginfo-2.4.0-150400.3.23.1 * libwinpr2-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-2.4.0-150400.3.23.1 * freerdp-devel-2.4.0-150400.3.23.1 * freerdp-debugsource-2.4.0-150400.3.23.1 * libuwac0-0-2.4.0-150400.3.23.1 * freerdp-debuginfo-2.4.0-150400.3.23.1 * uwac0-0-devel-2.4.0-150400.3.23.1 * libuwac0-0-debuginfo-2.4.0-150400.3.23.1 * freerdp-wayland-2.4.0-150400.3.23.1 * freerdp-proxy-2.4.0-150400.3.23.1 * freerdp-server-2.4.0-150400.3.23.1 * freerdp-2.4.0-150400.3.23.1 * winpr2-devel-2.4.0-150400.3.23.1 * freerdp-wayland-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-debuginfo-2.4.0-150400.3.23.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * libwinpr2-2.4.0-150400.3.23.1 * freerdp-server-debuginfo-2.4.0-150400.3.23.1 * libwinpr2-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-2.4.0-150400.3.23.1 * freerdp-devel-2.4.0-150400.3.23.1 * freerdp-debugsource-2.4.0-150400.3.23.1 * libuwac0-0-2.4.0-150400.3.23.1 * freerdp-debuginfo-2.4.0-150400.3.23.1 * uwac0-0-devel-2.4.0-150400.3.23.1 * libuwac0-0-debuginfo-2.4.0-150400.3.23.1 * freerdp-wayland-2.4.0-150400.3.23.1 * freerdp-proxy-2.4.0-150400.3.23.1 * freerdp-server-2.4.0-150400.3.23.1 * freerdp-2.4.0-150400.3.23.1 * winpr2-devel-2.4.0-150400.3.23.1 * freerdp-wayland-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-debuginfo-2.4.0-150400.3.23.1 * SUSE Package Hub 15 15-SP4 (aarch64 ppc64le s390x) * libwinpr2-2.4.0-150400.3.23.1 * libwinpr2-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-2.4.0-150400.3.23.1 * freerdp-devel-2.4.0-150400.3.23.1 * freerdp-debugsource-2.4.0-150400.3.23.1 * freerdp-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-2.4.0-150400.3.23.1 * freerdp-2.4.0-150400.3.23.1 * winpr2-devel-2.4.0-150400.3.23.1 * libfreerdp2-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-debuginfo-2.4.0-150400.3.23.1 * SUSE Package Hub 15 15-SP5 (aarch64 ppc64le s390x) * libwinpr2-2.4.0-150400.3.23.1 * freerdp-server-debuginfo-2.4.0-150400.3.23.1 * libwinpr2-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-2.4.0-150400.3.23.1 * freerdp-devel-2.4.0-150400.3.23.1 * freerdp-debugsource-2.4.0-150400.3.23.1 * libuwac0-0-2.4.0-150400.3.23.1 * freerdp-debuginfo-2.4.0-150400.3.23.1 * uwac0-0-devel-2.4.0-150400.3.23.1 * libuwac0-0-debuginfo-2.4.0-150400.3.23.1 * freerdp-wayland-2.4.0-150400.3.23.1 * freerdp-proxy-2.4.0-150400.3.23.1 * freerdp-server-2.4.0-150400.3.23.1 * freerdp-2.4.0-150400.3.23.1 * winpr2-devel-2.4.0-150400.3.23.1 * freerdp-wayland-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-debuginfo-2.4.0-150400.3.23.1 * SUSE Linux Enterprise Workstation Extension 15 SP4 (x86_64) * libwinpr2-2.4.0-150400.3.23.1 * libwinpr2-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-2.4.0-150400.3.23.1 * freerdp-devel-2.4.0-150400.3.23.1 * freerdp-debugsource-2.4.0-150400.3.23.1 * freerdp-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-2.4.0-150400.3.23.1 * freerdp-2.4.0-150400.3.23.1 * winpr2-devel-2.4.0-150400.3.23.1 * libfreerdp2-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-debuginfo-2.4.0-150400.3.23.1 * SUSE Linux Enterprise Workstation Extension 15 SP5 (x86_64) * libwinpr2-2.4.0-150400.3.23.1 * libwinpr2-debuginfo-2.4.0-150400.3.23.1 * libfreerdp2-2.4.0-150400.3.23.1 * freerdp-devel-2.4.0-150400.3.23.1 * freerdp-debugsource-2.4.0-150400.3.23.1 * freerdp-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-2.4.0-150400.3.23.1 * freerdp-2.4.0-150400.3.23.1 * winpr2-devel-2.4.0-150400.3.23.1 * libfreerdp2-debuginfo-2.4.0-150400.3.23.1 * freerdp-proxy-debuginfo-2.4.0-150400.3.23.1 ## References: * https://www.suse.com/security/cve/CVE-2023-39350.html * https://www.suse.com/security/cve/CVE-2023-39351.html * https://www.suse.com/security/cve/CVE-2023-39352.html * https://www.suse.com/security/cve/CVE-2023-39353.html * https://www.suse.com/security/cve/CVE-2023-39354.html * https://www.suse.com/security/cve/CVE-2023-39356.html * https://www.suse.com/security/cve/CVE-2023-40181.html * https://www.suse.com/security/cve/CVE-2023-40186.html * https://www.suse.com/security/cve/CVE-2023-40188.html * https://www.suse.com/security/cve/CVE-2023-40567.html * https://www.suse.com/security/cve/CVE-2023-40569.html * https://www.suse.com/security/cve/CVE-2023-40574.html * https://www.suse.com/security/cve/CVE-2023-40575.html * https://www.suse.com/security/cve/CVE-2023-40576.html * https://www.suse.com/security/cve/CVE-2023-40589.html * https://bugzilla.suse.com/show_bug.cgi?id=1214856 * https://bugzilla.suse.com/show_bug.cgi?id=1214857 * https://bugzilla.suse.com/show_bug.cgi?id=1214858 * https://bugzilla.suse.com/show_bug.cgi?id=1214859 * https://bugzilla.suse.com/show_bug.cgi?id=1214860 * https://bugzilla.suse.com/show_bug.cgi?id=1214862 * https://bugzilla.suse.com/show_bug.cgi?id=1214863 * https://bugzilla.suse.com/show_bug.cgi?id=1214864 * https://bugzilla.suse.com/show_bug.cgi?id=1214866 * https://bugzilla.suse.com/show_bug.cgi?id=1214867 * https://bugzilla.suse.com/show_bug.cgi?id=1214868 * https://bugzilla.suse.com/show_bug.cgi?id=1214869 * https://bugzilla.suse.com/show_bug.cgi?id=1214870 * https://bugzilla.suse.com/show_bug.cgi?id=1214871 * https://bugzilla.suse.com/show_bug.cgi?id=1214872
participants (1)
-
OPENSUSE-SECURITY-UPDATES