oss-sec mailing list archives
Re: FreeRDP tmp flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 26 May 2015 09:41:45 -0600
Actually it looks like upstream fixed both of them already so one CVE can do (I don't think it's important enough to SPLIT/MERGE properly). On 05/26/2015 08:53 AM, Kurt Seifried wrote:
This may need 2 CVE's because different versions are affected. Upstream has no security address I can find, filing a GitHUB issue (what their wiki says to do) which is public so also posting here. This is in the RHEL 7 version and upstream: ============================= ./channels/drdynvc/tsmf/tsmf_media.c: snprintf(buf, sizeof(buf), "/tmp/FreeRDP_Frame_%d.ppm", frame_id); /* Dump a .ppm image for every 30 frames. Assuming the frame is in YUV format, we extract the Y values to create a grayscale image. */ static int frame_id = 0; char buf[100]; FILE * fp; if ((frame_id % 30) == 0) { snprintf(buf, sizeof(buf), "/tmp/FreeRDP_Frame_%d.ppm", frame_id); fp = fopen(buf, "wb"); fwrite("P5\n", 1, 3, fp); snprintf(buf, sizeof(buf), "%d %d\n", sample->stream->width, sample->stream->height); fwrite(buf, 1, strlen(buf), fp); fwrite("255\n", 1, 4, fp); fwrite(sample->data, 1, sample->stream->width * sample->stream->height, fp); fflush(fp); fclose(fp); } frame_id++; #endif } } This is in the RHEL 7 version, not in upstream currently: ========================= ./libfreerdp-gdi/gdi.c: sprintf(tile_bitmap, "/tmp/rfx/tile_%d.bmp", tilenum++); int tilenum = 0; #ifdef DUMP_REMOTEFX_TILES sprintf(tile_bitmap, "/tmp/rfx/tile_%d.bmp", tilenum++); freerdp_bitmap_write(tile_bitmap, gdi->tile->bitmap->data, 64, 64, 32); #endif
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- FreeRDP tmp flaws Kurt Seifried (May 26)
- Re: FreeRDP tmp flaws Kurt Seifried (May 26)
- Re: FreeRDP tmp flaws cve-assign (May 27)
- Re: Re: FreeRDP tmp flaws Kurt Seifried (May 27)