git: a9185f053f0c - main - security/vuxml: document vulnerabilities for net/freerdp

From: Fernando Apesteguía <fernape_at_FreeBSD.org>
Date: Fri, 24 Feb 2023 13:41:50 UTC
The branch main has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a9185f053f0c2240e239ef6ad68c82fcdb8c49f2

commit a9185f053f0c2240e239ef6ad68c82fcdb8c49f2
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-02-24 13:23:01 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-02-24 13:36:11 +0000

    security/vuxml: document vulnerabilities for net/freerdp
    
    CVE-2022-39282 and CVE-2022-39283.
    
    PR:             269667
    Reported by:    grahamperrin@freebsd.org
---
 security/vuxml/vuln/2023.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 2ba2c6e0ac95..2a52f204707f 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,66 @@
+  <vuln vid="dd271de6-b444-11ed-9268-b42e991fc52e">
+    <topic>freerdp -- clients using the `/video` command line switch might read uninitialized data</topic>
+    <affects>
+      <package>
+	<name>freerdp</name>
+	<range><lt>2.8.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>MITRE reports:</p>
+      <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39283">
+	<p>
+	  All FreeRDP based clients when using the `/video`
+	  command line switch might read uninitialized data, decode
+	  it as audio/video and display the result. FreeRDP based
+	  server implementations are not affected.
+	</p>
+      </blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-39283</cvename>
+      <url>https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh</url>
+    </references>
+    <dates>
+      <discovery>2022-10-13</discovery>
+      <entry>2023-02-24</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="c682923d-b444-11ed-9268-b42e991fc52e">
+    <topic>freerdp -- clients using `/parallel` command line switch might read uninitialized data</topic>
+    <affects>
+      <package>
+	<name>freerdp</name>
+	<range><lt>2.8.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>MITRE reports:</p>
+      <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39282">
+	<p>
+	  FreeRDP based clients on unix systems using
+	  `/parallel` command line switch might read uninitialized
+	  data and send it to the server the client is currently
+	  connected to. FreeRDP based server implementations are not
+	  affected.
+	</p>
+      </blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-39282</cvename>
+      <url>https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq</url>
+    </references>
+    <dates>
+      <discovery>2022-10-13</discovery>
+      <entry>2023-02-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4d6b5ea9-bc64-4e77-a7ee-d62ba68a80dd">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>