import Oracle_OSS freerdp-3.10.3-5.el10_1.3

2026-03-26 15:30:55 -04:00 · 2026-03-26 15:30:55 -04:00 · b283e4ffa5
commit b283e4ffa5
parent 1a739f9bea
4 changed files with 110 additions and 1 deletions
--- a/codec-clear-fix-destination-checks.patch
+++ b/codec-clear-fix-destination-checks.patch
@ -0,0 +1,42 @@
+From 6fe494ec5b0baf2fa604f5ae6a6237eb5dc0b66a Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 9 Mar 2026 13:55:01 +0100
+Subject: [PATCH] [codec,clear] fix destination checks
+
+Backport of commit 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/clear.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 2a4f894ea..4c42bb2bf 100644
+--- a/libfreerdp/codec/clear.c
+++ b/libfreerdp/codec/clear.c
+@@ -490,16 +490,16 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* WINPR_RESTRICT clear,
+ 		nXDstRel = nXDst + xStart;
+ 		nYDstRel = nYDst + yStart;
+ 
+-		if (1ull * xStart + width > nWidth)
+		if (1ull * nXDstRel + width > nDstWidth)
+ 		{
+-			WLog_ERR(TAG, "xStart %" PRIu16 " + width %" PRIu16 " > nWidth %" PRIu32 "", xStart,
+-			         width, nWidth);
+			WLog_ERR(TAG, "nXDstRel %" PRIu32 " + width %" PRIu16 " > nDstWidth %" PRIu32 "",
+			         nXDstRel, width, nDstWidth);
+ 			return FALSE;
+ 		}
+-		if (1ull * yStart + height > nHeight)
+		if (1ull * nYDstRel + height > nDstHeight)
+ 		{
+-			WLog_ERR(TAG, "yStart %" PRIu16 " + height %" PRIu16 " > nHeight %" PRIu32 "", yStart,
+-			         height, nHeight);
+			WLog_ERR(TAG, "nYDstRel %" PRIu32 " + height %" PRIu16 " > nDstHeight %" PRIu32 "",
+			         nYDstRel, height, nDstHeight);
+ 			return FALSE;
+ 		}
+ 
+-- 
+2.53.0
+
--- a/codec-planar-fix-missing-destination-bounds-checks.patch
+++ b/codec-planar-fix-missing-destination-bounds-checks.patch
@ -0,0 +1,55 @@
+From 867763b853ea3efdffb3bba0b182890bef994974 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 9 Mar 2026 12:50:26 +0100
+Subject: [PATCH] [codec,planar] fix missing destination bounds checks
+
+Backport of commit a0be5cb87d760bb1c803ad1bb835aa1e73e62abc.
+
+Made-with: Cursor
+---
+ libfreerdp/codec/planar.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
+index 5df607051..58efbc627 100644
+--- a/libfreerdp/codec/planar.c
+++ b/libfreerdp/codec/planar.c
+@@ -727,8 +727,9 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* WINPR_RESTRICT planar,
+ 	if (planar->maxHeight < nSrcHeight)
+ 		return FALSE;
+ 
+	const UINT32 bpp = FreeRDPGetBytesPerPixel(DstFormat);
+ 	if (nDstStep <= 0)
+-		nDstStep = nDstWidth * FreeRDPGetBytesPerPixel(DstFormat);
+		nDstStep = nDstWidth * bpp;
+ 
+ 	srcp = pSrcData;
+ 
+@@ -948,6 +949,24 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* WINPR_RESTRICT planar,
+ 		}
+ 		else /* RLE */
+ 		{
+			if (nYDst + nSrcHeight > nTotalHeight)
+			{
+				WLog_ERR(TAG,
+				         "planar plane destination Y %" PRIu32 " + height %" PRIu32
+				         " exceeds totalHeight %" PRIu32,
+				         nYDst, nSrcHeight, nTotalHeight);
+				return FALSE;
+			}
+
+			if ((nXDst + nSrcWidth) * bpp > nDstStep)
+			{
+				WLog_ERR(TAG,
+				         "planar plane destination (X %" PRIu32 " + width %" PRIu32
+				         ") * bpp %" PRIu32 " exceeds stride %" PRIu32,
+				         nXDst, nSrcWidth, bpp, nDstStep);
+				return FALSE;
+			}
+
+ 			status =
+ 			    planar_decompress_plane_rle(planes[0], rleSizes[0], pTempData, nTempStep, nXDst,
+ 			                                nYDst, nSrcWidth, nSrcHeight, 2, vFlip); /* RedPlane */
+-- 
+2.53.0
+
--- a/freerdp.spec
+++ b/freerdp.spec
@ -30,7 +30,7 @@
 Name:           freerdp
 Epoch:          2
 Version:        3.10.3
-Release:        5%{?dist}.2
+Release:        5%{?dist}.3
 Summary:        Free implementation of the Remote Desktop Protocol (RDP)

 # The effective license is Apache-2.0 but:
@ -97,6 +97,14 @@ Patch:          channels-urbdrc-check-interface-indices-before-use.patch
 # https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600
 Patch:          channels-rdpecam-ensure-all-streams-are-stopped.patch

+# CVE-2026-26955
+# https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77
+Patch:          codec-clear-fix-destination-checks.patch
+
+# CVE-2026-26965
+# https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc
+Patch:          codec-planar-fix-missing-destination-bounds-checks.patch
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  alsa-lib-devel
@ -419,6 +427,10 @@ find %{buildroot} -name "*.a" -delete
 %{_libdir}/pkgconfig/winpr-tools3.pc

 %changelog
+* Wed Mar 25 2026 Ondrej Holy <oholy@redhat.com> - 2:3.10.3-5.3
+- Backport several CVE fixes
+  Resolves: RHEL-151975, RHEL-152202
+
 * Tue Feb 17 2026 Ondrej Holy <oholy@redhat.com> - 2:3.10.3-5.2
 - Backport several CVE fixes
  Resolves: RHEL-147912, RHEL-148815, RHEL-148859, RHEL-148892, RHEL-148973
--- a/freerdp_download_and_repack.sh
+++ b/freerdp_download_and_repack.sh