From patchwork Wed Jan 21 07:04:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79282 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C30FCA5FBA for ; Wed, 21 Jan 2026 07:04:49 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6845.1768979082063811818 for ; Tue, 20 Jan 2026 23:04:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RuoY5f5/; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4801c314c84so40435345e9.0 for ; Tue, 20 Jan 2026 23:04:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768979080; x=1769583880; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=jTvoy7Heb7fbn8TgY5zHi97jVbCDENv8RC9rlBZ3duY=; b=RuoY5f5/qn179JZM9V90Q+dzKgFOxFnn47KOGDpmyPcoGM1H0nAE7bpizQwJ2QOR8c 1qLGOPNzBBNZryQuOlvw7K+vNax+OugWJBODMua5GkSvGi3yX4dJsBjXGqXfaYUQnk+t LqvtIgX9GlUeumifCmPdve+j9UeHDhWt7sd/1FhSJViJ39FSxpR53BsMYphJTOlu8HHe arzfXIadozDzlkSWwEu6BUYydxDzXOjrlZKvkn6SiaRvlgxLp3UUGT4gVI0KhhXuI8d0 iwU/wYgkxowjq9WUNLhCv5b3HfwlgEHXSUoX4rfOYA8ckI1rQUEuOIVjy4N7sNzD0/Sf 119Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768979080; x=1769583880; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jTvoy7Heb7fbn8TgY5zHi97jVbCDENv8RC9rlBZ3duY=; b=CqNPzBzVT9SyqkCd7zhW4WPiR6Zh7jELCbmgE+c4d/XnE6+8iEP/vteZZ8T9tX/1Bo h1WIAVw84PmZb9PH0VIe737IIbZzAvIMJeRKctMz7438hw07/GamtRrI5E/3RMxHbE57 dtUW9ZR9yFxAXo8g3t40XAO5zkjFPUTNsrI5QOdXNHPoY+iaibPDKxUypvgxS4OMBv20 jtZdVWz6XlSakJK0H//RffHehZIGBN2RpKUjKZj5Z+Ics51OAnfqBnh3yY9qUS4Hirdu xSDMsJXYJmqcYOOusHmFxDV8aERJMa8Q5G2aKMoVzRSjU5JzMnJCGxj/IU+uo/ROqj3D YlEg== X-Gm-Message-State: AOJu0YzGA7BW7BGeSJXLuWtkdv878Avd6gc9Eixzo+IZQZkKgGyyuR7f FGaceUa8nPoRORVP86d1R3QGZ4gccyL6n6OX5Ok1ZgPecejOiuXd+k7M+DZAfQ== X-Gm-Gg: AZuq6aKgwo4T4o8ZAhCgPoyMEu6ZqvpreGRNb9A8kM1rGL13FijIiSOBpLz/c+ElV30 p+CNkNBiPcv46YYiBIjXSINmvyf1/aE8hdcFTRmGY83ZGk9i/R6uXW/YJRpUqbQ9ofAY46ZA11t dcNlCICX4BT+5e0X7UGcCneoAEt9Of+ieyL8dJXtC1jpV/5EpU+BORMkIIgvkg7wz/2/Oi8G+IU 8QFYlZI57+51cIsO1N6SGLXzTHDus7lIiKY255AH7ZwfFSNhEHS2KAtEke1YQ36ZyQMViDu5+Xc 0bv36UWryEm/Re4jm5GcQttnJy0m1fcxZSgYCKmsDER42/Xg8mc0lL3gqwtFKhnupqtC7F23eGU Sl8cAcuhOeE3vgvWMxjecYQSy0qYXUlSbbpDgsRN1i/zfY2tve1yCCKTLYvGWsznAPQN+2EkV/R oPt56xtOg5 X-Received: by 2002:a05:600c:19cd:b0:479:3a89:121d with SMTP id 5b1f17b1804b1-4801e359031mr228933175e9.36.1768979080107; Tue, 20 Jan 2026 23:04:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4356996dadbsm34106880f8f.21.2026.01.20.23.04.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 23:04:39 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/5] freerdp: patch CVE-2023-39351 Date: Wed, 21 Jan 2026 08:04:35 +0100 Message-ID: <20260121070439.1632875-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Jan 2026 07:04:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123684 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39351 Pick the patch that is mentioned by Debian[1] to solve the problem. [1]: https://security-tracker.debian.org/tracker/CVE-2023-39351 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2023-39351.patch | 30 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39351.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39351.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39351.patch new file mode 100644 index 0000000000..549b0ec61d --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39351.patch @@ -0,0 +1,30 @@ +From 4a6475e50797218dec507f75477d6c047b14e9f6 Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Sat, 5 Aug 2023 09:29:19 +0200 +Subject: [PATCH] free content of currentMessage on fail + +(cherry picked from commit e17ee48065d1ebcf863e8d0421cd656c4ef04d41) + +CVE: CVE-2023-39351 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/rfx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c +index 8c65e7508..3001f71bd 100644 +--- a/libfreerdp/codec/rfx.c ++++ b/libfreerdp/codec/rfx.c +@@ -1225,6 +1225,11 @@ BOOL rfx_process_message(RFX_CONTEXT* context, const BYTE* data, UINT32 length, + region16_uninit(&clippingRects); + return TRUE; + } ++ else ++ { ++ rfx_message_free(context, message); ++ context->currentMessage.freeArray = TRUE; ++ } + + return FALSE; + } diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index a104f33e52..5c196f5ff0 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2022-39282.patch \ file://CVE-2022-39320.patch \ file://CVE-2023-39350.patch \ + file://CVE-2023-39351.patch \ " S = "${WORKDIR}/git" From patchwork Wed Jan 21 07:04:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79284 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 880A1CA5FDF for ; Wed, 21 Jan 2026 07:04:49 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6846.1768979082650016228 for ; Tue, 20 Jan 2026 23:04:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hahU6lOd; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4801d1daf53so45540645e9.2 for ; Tue, 20 Jan 2026 23:04:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768979081; x=1769583881; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=jOIO/mflFqoyn3mwMAjvF/AZJKPAblAxPoqGeadGDqo=; b=hahU6lOdBBWCS5FOPFxybnFEXeiUbW3SzmtopO9Sclc7N0LVYBOh2eOPycMT6Wsosd QJBIA4HkkF2KuKbTahdnRfXARMTj4bcAC9Xhah4kK0l4oBeG4QEPy92HiEhEjpDLxBOM Biys8p/NRnuBCxQ2s7K3aCfp/xq9hP0m9GABsG/M1k0x7q7NX3ZDXkuOvrHZYMw7SpQy emsJAmwMFz64k3tyf+4Huf+Zyz+PRL+Y2SMfRNeuZTtqJKEhmVdOA4eSO44JW53REFld mzofFT3Fdr8WzC6Q37La+BrQgkTRLPj/mINUXqL5aIjmZQ354Rd2lLaeZynF3qhy0euk dNWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768979081; x=1769583881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jOIO/mflFqoyn3mwMAjvF/AZJKPAblAxPoqGeadGDqo=; b=WUWCBaQYHep7v3ZNteVTJYvnT0gdl8tax2dPgns8IKWKGms7tgyHHXJP6ANDjBlK7S dectaibtB1oORV8OasQAycF1UALTdjZq335nEDeCJQvbezi62d/N5d5YsnGzmAtL9DS/ a1Zch9xlDZlx1wBkW4v+NFbHcTCvU90rAcczF8UKB167tJYf5rSvB2SWD66eHEcwkyHn qBGtg6m5N28iKYfdJxngu9GcveOr6LY4ij40nkiJVnCw1Xae9jAgMq9PaN+YfGu5FDkJ v5zNf1pWYHkZojnuebM9ukpyh0pWQFGe8RuMSqA7x0PSLhiWt3GmCM/LiDbQEXw7IjDY oX8A== X-Gm-Message-State: AOJu0Yzuca2dJcbrGNgt+8QboEKQneqUTvkgWnBbj1feoblLQYkR6eKH JMLL5v+rXpqSjct0YzA+f+imMzKVx6vYo53OLAWSbl3UlZo57noq3KM4u5afdw== X-Gm-Gg: AZuq6aKHel9OmXgw7A9AC0roSKmCLwuehv2ze7CFlbGGlEnNOTxaqPMWdvOgxxiSrDA J8cGRxY+/ouIeIh3rbfC7reXHeFvgSYh1O7D6e75fkwX0z/jrgiIa2Kr52ZmuP3ZqQl9H8g9B65 AksDNZjKrlvP9us/8v1qIoN+tBDYR5u/IPPOAQnkXfGHJIOHS6wVVruz5msIUIMjTIzUnYl6sva D2Z6t4cQlQ20WxdbbeUy8yFKYM+naOIT44ld6ZpxT1MDC0kTmLQOguHMu/mbsNf/xA5LqV8btIz itt9Fx8HYZ7sdi4Ooa1d7zNtvaUJ01LFQ8qnnaED2hUpLeN+tcvaOPc0LcEz0KXF/3W7Pk6bFOW xaDyEDT+rayr9yIGRfdjGsovZcdLwC/Gi74FsiSu3sta7e21/RhADHkQ6bZiztmUi2KVMO3o+jZ eVX/nJreZG X-Received: by 2002:a05:600c:8b09:b0:47e:e4f5:1910 with SMTP id 5b1f17b1804b1-4801e34a14fmr225281685e9.34.1768979080822; Tue, 20 Jan 2026 23:04:40 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4356996dadbsm34106880f8f.21.2026.01.20.23.04.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 23:04:40 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] freerdp: patch CVE-2023-39352 Date: Wed, 21 Jan 2026 08:04:36 +0100 Message-ID: <20260121070439.1632875-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260121070439.1632875-1-skandigraun@gmail.com> References: <20260121070439.1632875-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Jan 2026 07:04:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123685 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39352 Backport the commit that was identified[1] by Debian as the solution. Note: WINPR_ASSERT macro calls have been changed to assert calls, as this macro doesn't exist yet in this version. Looking at the implementation[2], it is basically an assert call with a bit verbose logs. Even though the original implementation also defines a no-op version, the assert version is enabled by default. [1]: https://security-tracker.debian.org/tracker/CVE-2023-39352 [2]: https://github.com/FreeRDP/FreeRDP/blob/2.11.0/winpr/include/winpr/assert.h#L31 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2023-39352.patch | 124 ++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 125 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39352.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39352.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39352.patch new file mode 100644 index 0000000000..5010aca173 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39352.patch @@ -0,0 +1,124 @@ +From 5fbd3aa27780d4c1e4610d1e5f1515f50fc3674b Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 22 May 2023 16:03:54 +0800 +Subject: [PATCH] add bound check in gdi_SolidFill + +From: houchengqiu + +In Windows remote run vulnerabillities exe program, to create +Micorosoft::Windows::RDS::Graphics channel, case Remmina crash. +So, add bound check, limit the size of the requested rect, no larger than the surface data buffer. + +(cherry picked from commit 6a63441e4ee8e2bf333361f5d24156a183b14ecd) + +CVE: CVE-2023-39352 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/856ecaa463e963ecfebc9734423d69139e7b3916] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/gdi/gfx.c | 70 ++++++++++++++++++++++++++++---------------- + 1 file changed, 45 insertions(+), 25 deletions(-) + +diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c +index a3b7505c5..d2ca9cb63 100644 +--- a/libfreerdp/gdi/gfx.c ++++ b/libfreerdp/gdi/gfx.c +@@ -25,6 +25,8 @@ + + #include "../core/update.h" + ++#include ++ + #include + #include + #include +@@ -1079,6 +1081,28 @@ static UINT gdi_DeleteSurface(RdpgfxClientContext* context, + return rc; + } + ++static BOOL intersect_rect(const RECTANGLE_16* rect, const gdiGfxSurface* surface, ++ RECTANGLE_16* prect) ++{ ++ assert((rect) && "Assert fail: rect"); ++ assert((surface) && "Assert fail: surface"); ++ assert((prect) && "Assert fail: prect"); ++ ++ if (rect->left > rect->right) ++ return FALSE; ++ if (rect->left > surface->width) ++ return FALSE; ++ if (rect->top > rect->bottom) ++ return FALSE; ++ if (rect->top > surface->height) ++ return FALSE; ++ prect->left = rect->left; ++ prect->top = rect->top; ++ prect->right = MIN(rect->right, surface->width); ++ prect->bottom = MIN(rect->bottom, surface->height); ++ return TRUE; ++} ++ + /** + * Function description + * +@@ -1087,40 +1111,36 @@ static UINT gdi_DeleteSurface(RdpgfxClientContext* context, + static UINT gdi_SolidFill(RdpgfxClientContext* context, const RDPGFX_SOLID_FILL_PDU* solidFill) + { + UINT status = ERROR_INTERNAL_ERROR; +- UINT16 index; +- UINT32 color; +- BYTE a, r, g, b; +- UINT32 nWidth, nHeight; +- RECTANGLE_16* rect; +- gdiGfxSurface* surface; +- RECTANGLE_16 invalidRect; ++ BYTE a = 0; ++ RECTANGLE_16 invalidRect = { 0 }; + rdpGdi* gdi = (rdpGdi*)context->custom; ++ + EnterCriticalSection(&context->mux); +- surface = (gdiGfxSurface*)context->GetSurfaceData(context, solidFill->surfaceId); ++ ++ assert((context->GetSurfaceData) && "Assert fail: context->GetSurfaceData"); ++ gdiGfxSurface* surface = (gdiGfxSurface*)context->GetSurfaceData(context, solidFill->surfaceId); + + if (!surface) + goto fail; + +- b = solidFill->fillPixel.B; +- g = solidFill->fillPixel.G; +- r = solidFill->fillPixel.R; +- /* a = solidFill->fillPixel.XA; +- * Ignore alpha channel, this is a solid fill. */ ++ const BYTE b = solidFill->fillPixel.B; ++ const BYTE g = solidFill->fillPixel.G; ++ const BYTE r = solidFill->fillPixel.R; + a = 0xFF; +- color = FreeRDPGetColor(surface->format, r, g, b, a); ++ const UINT32 color = FreeRDPGetColor(surface->format, r, g, b, a); + +- for (index = 0; index < solidFill->fillRectCount; index++) ++ for (UINT16 index = 0; index < solidFill->fillRectCount; index++) + { +- rect = &(solidFill->fillRects[index]); +- nWidth = rect->right - rect->left; +- nHeight = rect->bottom - rect->top; +- invalidRect.left = rect->left; +- invalidRect.top = rect->top; +- invalidRect.right = rect->right; +- invalidRect.bottom = rect->bottom; +- +- if (!freerdp_image_fill(surface->data, surface->format, surface->scanline, rect->left, +- rect->top, nWidth, nHeight, color)) ++ const RECTANGLE_16* rect = &(solidFill->fillRects[index]); ++ ++ if (!intersect_rect(rect, surface, &invalidRect)) ++ goto fail; ++ ++ const UINT32 nWidth = invalidRect.right - invalidRect.left; ++ const UINT32 nHeight = invalidRect.bottom - invalidRect.top; ++ ++ if (!freerdp_image_fill(surface->data, surface->format, surface->scanline, invalidRect.left, ++ invalidRect.top, nWidth, nHeight, color)) + goto fail; + + region16_union_rect(&(surface->invalidRegion), &(surface->invalidRegion), &invalidRect); diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 5c196f5ff0..052e77932e 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2022-39320.patch \ file://CVE-2023-39350.patch \ file://CVE-2023-39351.patch \ + file://CVE-2023-39352.patch \ " S = "${WORKDIR}/git" From patchwork Wed Jan 21 07:04:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79281 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 548E8D262B0 for ; Wed, 21 Jan 2026 07:04:49 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.6847.1768979083238871061 for ; Tue, 20 Jan 2026 23:04:43 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=JKBGrVyQ; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-47ee301a06aso58824805e9.0 for ; Tue, 20 Jan 2026 23:04:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768979081; x=1769583881; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5IY3Gqq0PwWpWMs7fAZG1AdwdRerqjKUnPpiUkIROOg=; b=JKBGrVyQdypB7NNQhcNqUpK/1ZoYHdSxHooYgjm9oQnpMx1BrCwOMPP44PPU4rKBIF L66isWJK+LQQTMuaMp5Ngbj80XS/awhWWZ3LvgqoqnICmlvQtwUzEL7s736+LrRxgjoB c7/F3s99pQAKt1iKqmrQXMZuyFV9EaJUszVaDDnwnpWc067IPY3WNgXA8Z1DZ6gYZosC GaBUSHElf17WgSnBlqDiBZBOnadN8usuRwQ8L/es1eEG1+a3t15byHFjjJgIx2n8ghfY e1F557DP9TslFUcbWLpP/zfTY7XCVClvxU64LWy+t2LyYu82m57oAJ1WnI7VYuJ5JKcy Fmcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768979081; x=1769583881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5IY3Gqq0PwWpWMs7fAZG1AdwdRerqjKUnPpiUkIROOg=; b=kv/puMX5oG84fH/LtD5Qnqcklvavgq4cofxtZC+EF/DxukfetcgLjMMKWhNpV5BrIT B8XhSPBcRdI/KYKH9OcG4KHppzn1Yajf1ha5TP+/UCYLZGmcpAdCEpVxZVraSTtPEC8C QX+/9ZZKR5MwlUyf5OVx5QqtwNuvUR4t14k9lqHTJttOqc7o7xBA06X5XcJ32fQR+6eT fE0sdRqWWpVawdIB7nEsoIHmYRyAtwhvlf6h7p5RlVMkwueI22ItTsHyDBklUj+ry5Bh TgH6h5y6fN6F4J+Ad/5lzm6/Nwu0cAj/ud3945yZ4E0r0ZCGYbfVIVvwGlkhWsbI2Fy/ 8nxg== X-Gm-Message-State: AOJu0YxvLKB7xVte7UBKQSjUbzNdRcKk+6MVDeRzDmbVSi5hmJphSrum A+wqXkgJ3Ndb2H3GIxLKDqmW2kCG7duApe2op7nKBX1jQk6ih6opNZz1ShLgNg== X-Gm-Gg: AZuq6aJB4/UItFWJOQKePSzD8dbhDo0VSuGT7hVwENVq2ttpK0JFsFXnuRujDgrT68c H1iKrO8e8YPaRlg8bzUzNXcq65WL1xc9AYNifwLQL8mGuCfDZX3sOLg+gvcFSnZKthqeI8F8xeX cwoD2/WTokvNfcK3CdD9knF/CVyBtnnJJXxmdIbJhnFBDxsN5A/JqkqMzhwR4C3rbnLi11M8PEa koA445SxgJFLfMete56zbj9MA6u0Y42LAHBbRShHG8iZzv+84Er7Ar3+wiOck6HgpLOuPmiIWKY ACAaomFnkxWmK0Cj+VjKEbrKMAxq038Ri0z1e7+ECzkLXkO1d4Cw3GEIA/kqPpkiTjWvCG9StTz ks5uLFyCKECkD2L+kj0CMq3nAtFyDpOMLzSJhJsjQu2g04Ro9LMvpBK76XtrOKP/OzoRiStsviW 2rgSwv5Y5e X-Received: by 2002:a05:600c:458f:b0:477:5cc6:7e44 with SMTP id 5b1f17b1804b1-4801eabee40mr202497075e9.11.1768979081399; Tue, 20 Jan 2026 23:04:41 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4356996dadbsm34106880f8f.21.2026.01.20.23.04.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 23:04:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/5] freerdp: patch CVE-2023-39353 Date: Wed, 21 Jan 2026 08:04:37 +0100 Message-ID: <20260121070439.1632875-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260121070439.1632875-1-skandigraun@gmail.com> References: <20260121070439.1632875-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Jan 2026 07:04:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123686 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39353 Pick the patch that was identified[1] by Debian as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2023-39353 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2023-39353.patch | 53 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 54 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39353.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39353.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39353.patch new file mode 100644 index 0000000000..51ac065687 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-39353.patch @@ -0,0 +1,53 @@ +From 944994cb41d62ea893bd8bdaf436e97f42965de0 Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Sat, 5 Aug 2023 08:57:28 +0200 +Subject: [PATCH] check indices are within range + +reported by pwn2carr + +CVE: CVE-2023-39353 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/e204fc8be5a372626b13f66daf2abafe71dbc2dc] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/rfx.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c +index 8c65e7508..998a7aa56 100644 +--- a/libfreerdp/codec/rfx.c ++++ b/libfreerdp/codec/rfx.c +@@ -932,10 +932,33 @@ static BOOL rfx_process_message_tileset(RFX_CONTEXT* context, RFX_MESSAGE* messa + rc = FALSE; + break; + } +- + Stream_Read_UINT8(&sub, tile->quantIdxY); /* quantIdxY (1 byte) */ + Stream_Read_UINT8(&sub, tile->quantIdxCb); /* quantIdxCb (1 byte) */ + Stream_Read_UINT8(&sub, tile->quantIdxCr); /* quantIdxCr (1 byte) */ ++ if (tile->quantIdxY >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "quantIdxY %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxY, ++ context->numQuant); ++ rc = FALSE; ++ break; ++ } ++ if (tile->quantIdxCb >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "quantIdxCb %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCb, ++ context->numQuant); ++ rc = FALSE; ++ break; ++ } ++ if (tile->quantIdxCr >= context->numQuant) ++ { ++ WLog_Print(context->priv->log, WLOG_ERROR, ++ "quantIdxCr %" PRIu8 " >= numQuant %" PRIu8, tile->quantIdxCr, ++ context->numQuant); ++ rc = FALSE; ++ break; ++ } + Stream_Read_UINT16(&sub, tile->xIdx); /* xIdx (2 bytes) */ + Stream_Read_UINT16(&sub, tile->yIdx); /* yIdx (2 bytes) */ + Stream_Read_UINT16(&sub, tile->YLen); /* YLen (2 bytes) */ diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index 052e77932e..dd944e450d 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -24,6 +24,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2023-39350.patch \ file://CVE-2023-39351.patch \ file://CVE-2023-39352.patch \ + file://CVE-2023-39353.patch \ " S = "${WORKDIR}/git" From patchwork Wed Jan 21 07:04:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 580ECD262B7 for ; Wed, 21 Jan 2026 07:04:49 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6786.1768979083882976811 for ; Tue, 20 Jan 2026 23:04:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BjEHCm/6; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4801d21c411so22385875e9.3 for ; Tue, 20 Jan 2026 23:04:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768979082; x=1769583882; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=rH68EfhPTPynTSo8yMbL8xwfxorC76r0vVtlMg5ssFk=; b=BjEHCm/6vFuxDlLVR+MZlnRveqeEjHoN4xmwRD5nX2UvEJeUetL50qZr1ykkcE9/eZ 7Mm/RuHTEKPGMcDAtsGXZq0JRk9uid3lJTCGJH7bF7tZbvMnZKSb6vladTI8FzEyVFQl WR9xeXPiurAR0XWiRegMieWxcVPwQKuusSKhI2VhIdJPFX3IuBlTAQwr7VJrJCdMko4G x9eKIDDUPmuWl/9BSSAJLZcLUkPchW/697iKzCs5WMzzZzoLABIix6vPLbdiko78voLn Ix9umHslIZdCKe0rjVhr6hXp0X0xJQ6OtVdKJ6M1Xbcz1fvCILvldVgf9thBT3bd6pbI Gcsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768979082; x=1769583882; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=rH68EfhPTPynTSo8yMbL8xwfxorC76r0vVtlMg5ssFk=; b=DzQX+0Ci2U0jHZ0DqykSqknNLDrcCcH6l0hH7jRo1NvvwE/q4tUk7AY3d1RQfN8Opy 9+zcZnEVJiygiWdK0tLKKB/eMpdEpJwuZxjVicdW1iA4QGaMMXVV2sYLRw1wRmvTvy0j cd6ZDazBuDlDEcvMlngccw/BosTwdyiNIq3KCNH+ct3dR8oRK0D4o//haxPnvk3d6bZb qt/wj372VK7Cz3MJPYFW7Spvv9dVoWYB5UiuN/GW2fkl5m6DMh/SJHLeYUHJjx6KzbSF gYN0k1xnGD7gDKsgpCSENJllvvoXCZYg9TY4pKZ2IVFTZELyugFPneTc361ZK09y5eG7 O8Jw== X-Gm-Message-State: AOJu0YwT/xmQufJcvdzkFK2Cp+Is6gHNovrZHQ3WUkuQqKqjjjSXXisu 2+nO8EF0AmwQLwUu6kLnLW6asEUPytvkfZ73hD6iIHEXIXqeew5L+xFbcu9s3A== X-Gm-Gg: AZuq6aKu0ibA2aDV1A55F5keOQZC3Rh6Gh1d+r16IrjeNeEo5qdypN9DwQN6bvWgNV5 SSetTyINXnxZeby19xeFl3pJuW0ARPpXt03MCjfWT+k1KzWmU6j+KdcWtBVQDZ0a8E4q/fI1tya B9cSPnXG2s/mvMXKo8FW7Tc+ZAUJRgONO+gWcYnaEVtojcBkVPO/zizbHPCLeCn7Gqyp7CeMC7R ztS4kgqSpVfmpBt6KLmPbkftQIXNLHi0HVdo8kVWrg5wyaFd2iOEMsOjMJt0QDEQwYdvPNyIFxN ymYjdQrnHmt3nkccxP5DxjzafoiORQGOGuj9d9NZ2RtGDlmO7F7CQhoyCtZ08AudIhnvJf8IrZP GjVWVa3AfBOBmQXiqzYW0UFfidlad0l+2UXuyo6MBBrjuL82XvB9WqP/Nv/QnwEgA4ollnqpOiL iFvIO1wFec X-Received: by 2002:a05:600c:34c9:b0:480:25ae:9993 with SMTP id 5b1f17b1804b1-4802ce16557mr158378285e9.20.1768979082155; Tue, 20 Jan 2026 23:04:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4356996dadbsm34106880f8f.21.2026.01.20.23.04.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 23:04:41 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/5] freerdp: patch CVE-2023-40181 Date: Wed, 21 Jan 2026 08:04:38 +0100 Message-ID: <20260121070439.1632875-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260121070439.1632875-1-skandigraun@gmail.com> References: <20260121070439.1632875-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Jan 2026 07:04:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123687 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40181 Pick the patch that was identified[1] by Debian as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2023-40181 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2023-40181.patch | 33 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40181.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40181.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40181.patch new file mode 100644 index 0000000000..05af44af09 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40181.patch @@ -0,0 +1,33 @@ +From de011238a720cf80a7f96ee0d7a43d85fbc0552f Mon Sep 17 00:00:00 2001 +From: Armin Novak +Date: Mon, 21 Aug 2023 14:30:11 +0200 +Subject: [PATCH] fix cBitsRemaining calculation + +fixed out of bound read reported by @pwn2carr + +(cherry picked from commit c39c82277a73332e9c1b64db98a34559f424fe20) + +CVE: CVE-2023-40181 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/c23cbdc4a5756bd723223c7139654de7439fdcc0] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/zgfx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/zgfx.c b/libfreerdp/codec/zgfx.c +index 04ddeadb2..4489b3798 100644 +--- a/libfreerdp/codec/zgfx.c ++++ b/libfreerdp/codec/zgfx.c +@@ -259,7 +259,11 @@ static BOOL zgfx_decompress_segment(ZGFX_CONTEXT* zgfx, wStream* stream, size_t + zgfx->pbInputCurrent = pbSegment; + zgfx->pbInputEnd = &pbSegment[cbSegment - 1]; + /* NumberOfBitsToDecode = ((NumberOfBytesToDecode - 1) * 8) - ValueOfLastByte */ +- zgfx->cBitsRemaining = 8 * (cbSegment - 1) - *zgfx->pbInputEnd; ++ const UINT32 bits = 8u * (cbSegment - 1u); ++ if (bits < *zgfx->pbInputEnd) ++ return FALSE; ++ ++ zgfx->cBitsRemaining = bits - *zgfx->pbInputEnd; + zgfx->cBitsCurrent = 0; + zgfx->BitsCurrent = 0; + diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index dd944e450d..b909f88310 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -25,6 +25,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2023-39351.patch \ file://CVE-2023-39352.patch \ file://CVE-2023-39353.patch \ + file://CVE-2023-40181.patch \ " S = "${WORKDIR}/git" From patchwork Wed Jan 21 07:04:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 79283 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C46ED262B2 for ; Wed, 21 Jan 2026 07:04:49 +0000 (UTC) Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.6787.1768979084652458205 for ; Tue, 20 Jan 2026 23:04:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WktW3Gao; spf=pass (domain: gmail.com, ip: 209.85.221.52, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-42fbc305914so4994360f8f.0 for ; Tue, 20 Jan 2026 23:04:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768979083; x=1769583883; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ZzdoPiqrdPaIRIT+mbvy05zOV0r+rQV15o6F2LUccaU=; b=WktW3GaojS0gukwTDnDYHgqnc1oF9yZrrqI6o/qiGrwm+LrKhYfwLxRU0iV5L3elUF 8rhadYNa9eQL0RzkMuV9j9MKH4WYowU5rZe/kuP1M8tD9zRLZAPI+zyO1qSKU6kY8MRM /aG109KIWiRBSg95/2P54xQl356clSkLjHCKNa+IEtmkyINj8G6Blly1SxD0le+wL5Rp HZpLiGI7lKIlXYK6DdDFGI9I3X4Enf/6uHX2+SaDE9o60goh/VeDx2RhPn1FgNXkrovF ZkzOlMH7C7J5n/zAtvgnsjx0ij/IjxwlatZoJXvq26jVq/EE8P5/PBQq9/QEaesxpla7 Ys4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768979083; x=1769583883; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ZzdoPiqrdPaIRIT+mbvy05zOV0r+rQV15o6F2LUccaU=; b=Oh9WMEqyJMu02foISFWtuKVl+xe0D73WDxzBt5Z6Iz4KujeKu1DutV02ax2OhWNN4z WBqGF6vcTknD8OEVrxUJseh+2/q0D2A/a9L6Pcfm0kJ9ZOkmoroNnQJ+PmcUSDbK9Jaw 9Wes++poAwFbbqqAqVGNoTBGaLgWI+MPDl61cTbIUyabXGwjX6z4FKHCfirT3UxZOutj 5ayN9/rB7ukioo1PJMknTbvsgJ9WhyEzJkjiJGIFQcBaDR6sf6HCcVgoRi4JVeLndeou aX70/jrrmQCNPJI38hC5sM2REzeDwS5Bq6rpD1pMU57WWJHpd+nnLWnrCi+SrPk2u3XA SVvg== X-Gm-Message-State: AOJu0YxUV+e4bQ/5vq3V9uLHKf5+p3aGW5iAAch0bkPpZIPsd1IAtxvu b1XCL/ud8l6zIcHxbDefuW6F0wR9wcyuadOx8iV1ti3LlmRnaAU+Tu5Z4Xbwfg== X-Gm-Gg: AZuq6aIjQplce1eKpiqUYasJE2FFwpOKq9x7ZbZcF1kJE+xTIspBVAZbvGxiGov/+bn pSeLzjnVbQVbNDE1V5dPXf5jUalgKcztAurqbk9ueHgJ/gKMDRF5KrhtRAIGWj4PdnKDKVHfs3a UZgeG5mcezqhtPYnri8tKceKKXI3VYU51kqIgx1XNYBrhrf3LDDmrxKZ3QgFCj5udRG02nfzGOg OXU7TEFzY1P5DWdsC9sibuQrzGrfqVtj+a9nrPQROrVdtUtGo9D6CE4sKBmeiZGCRM5wiYEGhg5 5t4T20wgw+YOFG99LEVz+pOSq2KUMwbLmJ6DplJZO1DaCNGrBbB804UUzAL11LGAHhl0djl6f9F ICPwPMeRp26AASXj/5LbOBSY/7XHNMPOnhyq2L3dytDgizaKBpZj+9QGDu9SE6JMVaBcbfjR+ew /X/k6HL4dc X-Received: by 2002:a05:6000:4301:b0:430:f5ed:83d3 with SMTP id ffacd0b85a97d-4358fed1464mr6716127f8f.5.1768979082777; Tue, 20 Jan 2026 23:04:42 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4356996dadbsm34106880f8f.21.2026.01.20.23.04.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jan 2026 23:04:42 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/5] freerdp: patch CVE-2023-40569 Date: Wed, 21 Jan 2026 08:04:39 +0100 Message-ID: <20260121070439.1632875-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260121070439.1632875-1-skandigraun@gmail.com> References: <20260121070439.1632875-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Jan 2026 07:04:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123688 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-40569 Pick the patch that was identified[1] by Debian as the solution. [1]: https://security-tracker.debian.org/tracker/CVE-2023-40569 Signed-off-by: Gyorgy Sarvari --- .../freerdp/freerdp/CVE-2023-40569.patch | 38 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.6.1.bb | 1 + 2 files changed, 39 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40569.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40569.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40569.patch new file mode 100644 index 0000000000..792c652307 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2023-40569.patch @@ -0,0 +1,38 @@ +From acc25a2257a960c82adea14faf48730c9139811d Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Tue, 22 Aug 2023 15:05:20 +0200 +Subject: [PATCH] fix missing destination checks + +(cherry picked from commit ef7e0d60c207dae478952d795e74751d1516629d) + +CVE: CVE-2023-40569 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/23c3daeca1598393f8c93f563f7847a4d67919f1] +Signed-off-by: Gyorgy Sarvari +--- + libfreerdp/codec/progressive.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c +index 60343b881..a30da6201 100644 +--- a/libfreerdp/codec/progressive.c ++++ b/libfreerdp/codec/progressive.c +@@ -2425,11 +2425,17 @@ INT32 progressive_decompress_ex(PROGRESSIVE_CONTEXT* progressive, const BYTE* pS + for (j = 0; j < nbUpdateRects; j++) + { + const RECTANGLE_16* rect = &updateRects[j]; +- const UINT32 nXSrc = rect->left - (nXDst + tile->x); +- const UINT32 nYSrc = rect->top - (nYDst + tile->y); ++ if (rect->left < updateRect.left) ++ goto fail; ++ const UINT32 nXSrc = rect->left - updateRect.left; ++ const UINT32 nYSrc = rect->top - updateRect.top; + const UINT32 width = rect->right - rect->left; + const UINT32 height = rect->bottom - rect->top; + ++ if (rect->left + width > surface->width) ++ goto fail; ++ if (rect->top + height > surface->height) ++ goto fail; + if (!freerdp_image_copy(pDstData, DstFormat, nDstStep, rect->left, rect->top, width, + height, tile->data, progressive->format, tile->stride, nXSrc, + nYSrc, NULL, FREERDP_FLIP_NONE)) diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb index b909f88310..205f7b0cd7 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb @@ -26,6 +26,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2023-39352.patch \ file://CVE-2023-39353.patch \ file://CVE-2023-40181.patch \ + file://CVE-2023-40569.patch \ " S = "${WORKDIR}/git"