[meta-oe,kirkstone,v2] freerdp: patch CVE-2023-39350

Message ID	20260120123223.1003063-1-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH v2] freerdp: patch CVE-2023-39350 Date: Tue, 20 Jan 2026 13:32:23 +0100 Message-ID: <20260120123223.1003063-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,kirkstone,v2] freerdp: patch CVE-2023-39350 \| expand [meta-oe,kirkstone,v2] freerdp: patch CVE-2023-39350

Message ID

20260120123223.1003063-1-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH v2] freerdp: patch CVE-2023-39350
Date: Tue, 20 Jan 2026 13:32:23 +0100
Message-ID: <20260120123223.1003063-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,kirkstone,v2] freerdp: patch CVE-2023-39350 | expand

Commit Message

Gyorgy Sarvari Jan. 20, 2026, 12:32 p.m. UTC

From: Gyorgy Sarvari via lists.openembedded.org <skandigraun=gmail.com@lists.openembedded.org>

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39350

Pick the patch that was identified[1] by Debian as the solution.
Note that the NVD report also references a commit as a patch - however
that seems to be incorrect. Although the NVD patch also solves a
vulnerability, it solves a different CVE (CVE-2023-39353), not this.

[1]: https://security-tracker.debian.org/tracker/CVE-2023-39350

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---

v1: https://lists.openembedded.org/g/openembedded-devel/message/123658
v2: In v1, the patch was included that was identified by NVD as the solution.
    Looking at it closer, it doesn't look correct, it solves a different
    vulnerability. This patch picks the commit that was identified by
    Debian as the solution, which fits the vulnerability description
    also better.

 .../freerdp/freerdp/CVE-2023-39350.patch      | 42 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.6.1.bb  |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch
new file mode 100644
index 0000000000..9f4590d90e
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39350.patch
@@ -0,0 +1,42 @@ 
+From 31ede2c7f721cb32a4a4c7ec843e9ddafb69ba53 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Fri, 4 Aug 2023 13:55:40 +0200
+Subject: [PATCH] fix possible out of bound read
+
+Allows malicious servers to crash FreeRDP based clients
+reported by pwn2carr
+
+(cherry picked from commit a51952882f2eb3bbce6b69a7a4f9a54bf1dbb672)
+
+CVE: CVE-2023-39350
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/7ece410ce5b5660b9191e1ccb6835158afa11822]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libfreerdp/codec/rfx.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
+index 38eb1b9a4..bbd7aafa3 100644
+--- a/libfreerdp/codec/rfx.c
++++ b/libfreerdp/codec/rfx.c
+@@ -1129,8 +1129,18 @@ BOOL rfx_process_message(RFX_CONTEXT* context, const BYTE* data, UINT32 length,
+ 			}
+ 		}
+ 
+-		Stream_StaticInit(&subStream, Stream_Pointer(s), blockLen - (6 + extraBlockLen));
+-		Stream_Seek(s, blockLen - (6 + extraBlockLen));
++		const size_t blockLenNoHeader = blockLen - 6;
++		if (blockLenNoHeader < extraBlockLen)
++		{
++			WLog_Print(context->priv->log, WLOG_ERROR,
++			           "blockLen too small(%" PRIu32 "), must be >= 6 + %" PRIu16, blockLen,
++			           extraBlockLen);
++			return FALSE;
++		}
++
++		const size_t subStreamLen = blockLenNoHeader - extraBlockLen;
++		Stream_StaticInit(&subStream, Stream_Pointer(s), subStreamLen);
++		Stream_Seek(s, subStreamLen);
+ 
+ 		switch (blockType)
+ 		{
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
index 7cadae3d45..a104f33e52 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
@@ -21,6 +21,7 @@  SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://CVE-2022-24883.patch \
            file://CVE-2022-39282.patch \
            file://CVE-2022-39320.patch \
+           file://CVE-2023-39350.patch \
            "
 
 S = "${WORKDIR}/git"

[meta-oe,kirkstone,v2] freerdp: patch CVE-2023-39350

Commit Message

Patch