git: a9185f053f0c - main - security/vuxml: document vulnerabilities for net/freerdp
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 24 Feb 2023 13:41:50 UTC
The branch main has been updated by fernape:
URL: https://cgit.FreeBSD.org/ports/commit/?id=a9185f053f0c2240e239ef6ad68c82fcdb8c49f2
commit a9185f053f0c2240e239ef6ad68c82fcdb8c49f2
Author: Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-02-24 13:23:01 +0000
Commit: Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-02-24 13:36:11 +0000
security/vuxml: document vulnerabilities for net/freerdp
CVE-2022-39282 and CVE-2022-39283.
PR: 269667
Reported by: grahamperrin@freebsd.org
---
security/vuxml/vuln/2023.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 2ba2c6e0ac95..2a52f204707f 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,66 @@
+ <vuln vid="dd271de6-b444-11ed-9268-b42e991fc52e">
+ <topic>freerdp -- clients using the `/video` command line switch might read uninitialized data</topic>
+ <affects>
+ <package>
+ <name>freerdp</name>
+ <range><lt>2.8.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39283">
+ <p>
+ All FreeRDP based clients when using the `/video`
+ command line switch might read uninitialized data, decode
+ it as audio/video and display the result. FreeRDP based
+ server implementations are not affected.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2022-39283</cvename>
+ <url>https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh</url>
+ </references>
+ <dates>
+ <discovery>2022-10-13</discovery>
+ <entry>2023-02-24</entry>
+ </dates>
+ </vuln>
+
+ <vuln vid="c682923d-b444-11ed-9268-b42e991fc52e">
+ <topic>freerdp -- clients using `/parallel` command line switch might read uninitialized data</topic>
+ <affects>
+ <package>
+ <name>freerdp</name>
+ <range><lt>2.8.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>MITRE reports:</p>
+ <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39282">
+ <p>
+ FreeRDP based clients on unix systems using
+ `/parallel` command line switch might read uninitialized
+ data and send it to the server the client is currently
+ connected to. FreeRDP based server implementations are not
+ affected.
+ </p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2022-39282</cvename>
+ <url>https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq</url>
+ </references>
+ <dates>
+ <discovery>2022-10-13</discovery>
+ <entry>2023-02-24</entry>
+ </dates>
+ </vuln>
+
<vuln vid="4d6b5ea9-bc64-4e77-a7ee-d62ba68a80dd">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>