CVE-2014-0250: Integer Overflow
First published: Tue Aug 20 2013(Updated: )
client/X11/xf_graphics.c:xf_Pointer_New() performs a heap allocation this way: void xf_Pointer_New(rdpContext* context, rdpPointer* pointer) { XcursorImage ci; […] ci.width = pointer->width; ci.height = pointer->height; […] ci.pixels = (XcursorPixel*) malloc(ci.width * ci.height * 4); The width and height members are read from the wire. Both are 16 bit, but because of the multiplication with 4, the allocation still overflows (on 32 bit and 64 bit). xf_Bitmap_Decompress() appears to have a similar issue. These look very much like a trust boundary is crossed. Consequently, this is an embargoed security bug which has to be fixed in cooperation with upstream (which appears to be affected as well).
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FreeRDP | =1.0.0 | |
| FreeRDP | =1.0.1 | |
| FreeRDP | =1.0.2 | |
| openSUSE | =12.3 | |
| openSUSE | =13.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/FreeRDP/FreeRDP/issues/1657
- https://access.redhat.com/security/cve/CVE-2014-0250
- https://github.com/FreeRDP/FreeRDP/issues/1871
- https://bugzilla.redhat.com/show_bug.cgi?id=998934
- http://advisories.mageia.org/MGASA-2014-0287.html
- http://lists.opensuse.org/opensuse-updates/2014-07/msg00008.html
- http://seclists.org/oss-sec/2014/q2/365
- http://security.gentoo.org/glsa/glsa-201412-18.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:171
- http://www.securityfocus.com/bid/67670
- https://github.com/FreeRDP/FreeRDP/pull/1874
Frequently Asked Questions
What is the severity of CVE-2014-0250?
CVE-2014-0250 has a moderate severity rating, impacting the stability and security of affected applications.
How do I fix CVE-2014-0250?
To fix CVE-2014-0250, upgrade FreeRDP to versions 1.0.3 or later, or apply any available security patches.
What are the affected versions for CVE-2014-0250?
CVE-2014-0250 affects FreeRDP versions 1.0.0, 1.0.1, and 1.0.2 as well as openSUSE versions 12.3 and 13.1.
What kind of vulnerability is CVE-2014-0250?
CVE-2014-0250 is related to memory management issues due to improper heap allocation.
Is CVE-2014-0250 present in my FreeRDP installation?
You can determine if CVE-2014-0250 is present by checking your FreeRDP version against the affected versions list.
- agent/type
- agent/first-publish-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0250
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/freerdp
- canonical/freerdp
- version/freerdp/1.0.0
- version/freerdp/1.0.1
- version/freerdp/1.0.2
- vendor/opensuse
- canonical/opensuse
- version/opensuse/12.3
- version/opensuse/13.1