CVE-2023-39356: 
NixOS vulnerability analysis and mitigation

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. A vulnerability identified as CVE-2023-39356 was discovered in versions prior to 2.11.0 and 3.0.0-beta3. The vulnerability was disclosed on August 31, 2023 (GitHub Advisory).

The vulnerability stems from a missing offset validation in the function gdi_multi_opaque_rect. Specifically, there is no code to validate if the value multi_opaque_rect->numRectangles is less than 45, which is the size of the static rectangles array. The CVSS v3.1 base score is 9.1 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NVD).

When exploited, looping through multi_opaque_rect->numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash of the application. This vulnerability affects FreeRDP-based clients only, while the FreeRDP proxy is not affected as image decoding is not done by proxy (data passthrough) (GitHub Advisory).

The vulnerability has been patched in FreeRDP versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory).

Multiple Linux distributions have released security advisories and patches for this vulnerability, including Debian, Fedora, and Gentoo. Debian rated it with medium priority and included it in their security update DLA-3606-1 (Debian LTS). Fedora promptly released updates for versions 37, 38, and 39 to address this vulnerability along with other security issues (Fedora Updates).