oss-sec mailing list archives
FreeRDP tmp flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 26 May 2015 08:53:43 -0600
This may need 2 CVE's because different versions are affected.
Upstream has no security address I can find, filing a GitHUB issue (what
their wiki says to do) which is public so also posting here.
This is in the RHEL 7 version and upstream:
=============================
./channels/drdynvc/tsmf/tsmf_media.c: snprintf(buf, sizeof(buf),
"/tmp/FreeRDP_Frame_%d.ppm", frame_id);
/* Dump a .ppm image for every 30 frames. Assuming the
frame is in YUV format, we
extract the Y values to create a grayscale image. */
static int frame_id = 0;
char buf[100];
FILE * fp;
if ((frame_id % 30) == 0)
{
snprintf(buf, sizeof(buf),
"/tmp/FreeRDP_Frame_%d.ppm", frame_id);
fp = fopen(buf, "wb");
fwrite("P5\n", 1, 3, fp);
snprintf(buf, sizeof(buf), "%d %d\n",
sample->stream->width, sample->stream->height);
fwrite(buf, 1, strlen(buf), fp);
fwrite("255\n", 1, 4, fp);
fwrite(sample->data, 1, sample->stream->width *
sample->stream->height, fp);
fflush(fp);
fclose(fp);
}
frame_id++;
#endif
}
}
This is in the RHEL 7 version, not in upstream currently:
=========================
./libfreerdp-gdi/gdi.c: sprintf(tile_bitmap, "/tmp/rfx/tile_%d.bmp",
tilenum++);
int tilenum = 0;
#ifdef DUMP_REMOTEFX_TILES
sprintf(tile_bitmap, "/tmp/rfx/tile_%d.bmp",
tilenum++);
freerdp_bitmap_write(tile_bitmap,
gdi->tile->bitmap->data, 64, 64, 32);
#endif
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- FreeRDP tmp flaws Kurt Seifried (May 26)
- Re: FreeRDP tmp flaws Kurt Seifried (May 26)
- Re: FreeRDP tmp flaws cve-assign (May 27)
- Re: Re: FreeRDP tmp flaws Kurt Seifried (May 27)