FreeRDP 3.29 Is Out With Extensive Security Fixes

The open-source Remote Desktop Protocol implementation FreeRDP rolls out 22 security advisories, stronger runtime protections, and multiple client fixes.

The FreeRDP project has announced the release of version 3.29, a security-heavy update to the widely used open-source implementation of Microsoft’s Remote Desktop Protocol. Given the number and scope of the addressed issues (22 in total), the developers strongly recommend that users upgrade.

This release follows a rigorous review by several security researchers since the previous version. The vulnerabilities addressed affect multiple areas of FreeRDP’s protocol and multimedia stack.

FreeRDP’s certificate-processing code is now more robust against X.509 values with embedded null characters. Several fixes address FreeRDP’s video decoders. The H.264 implementation corrects surface-dimension mismatches and other decoding issues. The AV1 decoder now limits output to the actual frame size, and additional checks validate AV1 region rectangles, similar to existing AVC processing.

Camera redirection also receives significant updates. FreeRDP 3.29 now filters out unsupported devices, adds validity checks for incoming data, and corrects the reading of camera configuration descriptors.

Security checks have been added to the core RDP connection process. The client now rejects server random values that are too short when establishing encryption keys, reducing the risk of malformed server responses.

Alongside the security work, FreeRDP 3.29 adds endpoint FedAuth token authentication for RDSTLS. Linux desktop users benefit from several fixes. The SDL client now handles requested clipboard MIME formats more reliably, improving interoperability between local and remote sessions. The X11 client also resolves an issue with maximizing HiDef RemoteApp windows.

RemoteApp support is improved through more consistent handling of RAIL Unicode strings, better processing of RAIL server messages, and a corrected length check for application-name data from remote systems.

Smart-card redirection receives several adjustments, including reordered allocation handling, stricter requirements for select-by-file-identifier commands in the virtual smart-card implementation, and a corrected buffer length that excludes NDR padding.

Additional updates include allocation checks for serial-device redirection, corrected planar-codec input validation, improved asynchronous update handling, and server-response size validation in the Windows client.

Finally, the release also includes maintenance fixes for mobile platforms, such as Android build updates and several iOS compilation and warning corrections.

For additional details, see the announcement. The source archive is available on the project’s release page. Users are advised to install the updated packages as soon as they become available through their Linux distribution’s repositories.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *