Bug 1204258 (CVE-2022-39282) - VUL-0: CVE-2022-39282: freerdp: using the `/parallel` command line switch might read uninitialized data
Summary: VUL-0: CVE-2022-39282: freerdp: using the `/parallel` command line switch mig...
Status: RESOLVED FIXED
Alias: CVE-2022-39282
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/344935/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-39282:4.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-13 07:13 UTC by Robert Frohl
Modified: 2024-06-26 10:32 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-10-13 07:13:05 UTC
CVE-2022-39282

FreeRDP is a free remote desktop protocol library and clients. FreeRDP based
clients on unix systems using `/parallel` command line switch might read
uninitialized data and send it to the server the client is currently connected
to. FreeRDP based server implementations are not affected. Please upgrade to
2.8.1 where this issue is patched. If unable to upgrade, do not use parallel
port redirection (`/parallel` command line switch) as a workaround.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39282
http://www.cvedetails.com/cve/CVE-2022-39282/
https://github.com/FreeRDP/FreeRDP/releases/tag/2.8.1
https://www.cve.org/CVERecord?id=CVE-2022-39282
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
Comment 1 Robert Frohl 2022-10-13 07:14:14 UTC
relevant for Factory and openSUSE:Backports:SLE-15-SP*
Comment 5 Robert Frohl 2022-10-13 09:29:20 UTC
tracking as affected:

- SUSE:SLE-12-SP2:Update/freerdp
- SUSE:SLE-15-SP2:Update/freerdp
- SUSE:SLE-15-SP4:Update/freerdp
Comment 7 Jia Zhaocong 2022-10-19 08:11:47 UTC
Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign
back to security team.
Comment 8 Swamp Workflow Management 2022-11-15 14:33:11 UTC
SUSE-SU-2022:3982-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204257,1204258
CVE References: CVE-2022-39282,CVE-2022-39283
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    freerdp-2.1.2-150200.15.21.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    freerdp-2.1.2-150200.15.21.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    freerdp-2.1.2-150200.15.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-11-15 14:33:57 UTC
SUSE-SU-2022:3983-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204257,1204258
CVE References: CVE-2022-39282,CVE-2022-39283
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    freerdp-2.4.0-150400.3.9.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    freerdp-2.4.0-150400.3.9.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    freerdp-2.4.0-150400.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-11-15 14:35:45 UTC
SUSE-SU-2022:3984-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204257,1204258
CVE References: CVE-2022-39282,CVE-2022-39283
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    freerdp-2.1.2-12.29.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    freerdp-2.1.2-12.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Robert Frohl 2024-04-19 14:29:24 UTC
done