From b283e4ffa53a3d8c6399f60d2d55fe50d2f6be87 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 26 Mar 2026 15:30:55 -0400 Subject: [PATCH] import Oracle_OSS freerdp-3.10.3-5.el10_1.3 --- codec-clear-fix-destination-checks.patch | 42 ++++++++++++++ ...ix-missing-destination-bounds-checks.patch | 55 +++++++++++++++++++ freerdp.spec | 14 ++++- freerdp_download_and_repack.sh | 0 4 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 codec-clear-fix-destination-checks.patch create mode 100644 codec-planar-fix-missing-destination-bounds-checks.patch mode change 100644 => 100755 freerdp_download_and_repack.sh diff --git a/codec-clear-fix-destination-checks.patch b/codec-clear-fix-destination-checks.patch new file mode 100644 index 0000000..d07e883 --- /dev/null +++ b/codec-clear-fix-destination-checks.patch @@ -0,0 +1,42 @@ +From 6fe494ec5b0baf2fa604f5ae6a6237eb5dc0b66a Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 9 Mar 2026 13:55:01 +0100 +Subject: [PATCH] [codec,clear] fix destination checks + +Backport of commit 7d8fdce2d0ef337cb86cb37fc0c436c905e04d77. + +Made-with: Cursor +--- + libfreerdp/codec/clear.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index 2a4f894ea..4c42bb2bf 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -490,16 +490,16 @@ static BOOL clear_decompress_subcodecs_data(CLEAR_CONTEXT* WINPR_RESTRICT clear, + nXDstRel = nXDst + xStart; + nYDstRel = nYDst + yStart; + +- if (1ull * xStart + width > nWidth) ++ if (1ull * nXDstRel + width > nDstWidth) + { +- WLog_ERR(TAG, "xStart %" PRIu16 " + width %" PRIu16 " > nWidth %" PRIu32 "", xStart, +- width, nWidth); ++ WLog_ERR(TAG, "nXDstRel %" PRIu32 " + width %" PRIu16 " > nDstWidth %" PRIu32 "", ++ nXDstRel, width, nDstWidth); + return FALSE; + } +- if (1ull * yStart + height > nHeight) ++ if (1ull * nYDstRel + height > nDstHeight) + { +- WLog_ERR(TAG, "yStart %" PRIu16 " + height %" PRIu16 " > nHeight %" PRIu32 "", yStart, +- height, nHeight); ++ WLog_ERR(TAG, "nYDstRel %" PRIu32 " + height %" PRIu16 " > nDstHeight %" PRIu32 "", ++ nYDstRel, height, nDstHeight); + return FALSE; + } + +-- +2.53.0 + diff --git a/codec-planar-fix-missing-destination-bounds-checks.patch b/codec-planar-fix-missing-destination-bounds-checks.patch new file mode 100644 index 0000000..8ee655f --- /dev/null +++ b/codec-planar-fix-missing-destination-bounds-checks.patch @@ -0,0 +1,55 @@ +From 867763b853ea3efdffb3bba0b182890bef994974 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 9 Mar 2026 12:50:26 +0100 +Subject: [PATCH] [codec,planar] fix missing destination bounds checks + +Backport of commit a0be5cb87d760bb1c803ad1bb835aa1e73e62abc. + +Made-with: Cursor +--- + libfreerdp/codec/planar.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c +index 5df607051..58efbc627 100644 +--- a/libfreerdp/codec/planar.c ++++ b/libfreerdp/codec/planar.c +@@ -727,8 +727,9 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* WINPR_RESTRICT planar, + if (planar->maxHeight < nSrcHeight) + return FALSE; + ++ const UINT32 bpp = FreeRDPGetBytesPerPixel(DstFormat); + if (nDstStep <= 0) +- nDstStep = nDstWidth * FreeRDPGetBytesPerPixel(DstFormat); ++ nDstStep = nDstWidth * bpp; + + srcp = pSrcData; + +@@ -948,6 +949,24 @@ BOOL planar_decompress(BITMAP_PLANAR_CONTEXT* WINPR_RESTRICT planar, + } + else /* RLE */ + { ++ if (nYDst + nSrcHeight > nTotalHeight) ++ { ++ WLog_ERR(TAG, ++ "planar plane destination Y %" PRIu32 " + height %" PRIu32 ++ " exceeds totalHeight %" PRIu32, ++ nYDst, nSrcHeight, nTotalHeight); ++ return FALSE; ++ } ++ ++ if ((nXDst + nSrcWidth) * bpp > nDstStep) ++ { ++ WLog_ERR(TAG, ++ "planar plane destination (X %" PRIu32 " + width %" PRIu32 ++ ") * bpp %" PRIu32 " exceeds stride %" PRIu32, ++ nXDst, nSrcWidth, bpp, nDstStep); ++ return FALSE; ++ } ++ + status = + planar_decompress_plane_rle(planes[0], rleSizes[0], pTempData, nTempStep, nXDst, + nYDst, nSrcWidth, nSrcHeight, 2, vFlip); /* RedPlane */ +-- +2.53.0 + diff --git a/freerdp.spec b/freerdp.spec index 0d34367..ace293e 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -30,7 +30,7 @@ Name: freerdp Epoch: 2 Version: 3.10.3 -Release: 5%{?dist}.2 +Release: 5%{?dist}.3 Summary: Free implementation of the Remote Desktop Protocol (RDP) # The effective license is Apache-2.0 but: @@ -97,6 +97,14 @@ Patch: channels-urbdrc-check-interface-indices-before-use.patch # https://github.com/FreeRDP/FreeRDP/commit/f3ab1a16139036179d9852745fdade18fec11600 Patch: channels-rdpecam-ensure-all-streams-are-stopped.patch +# CVE-2026-26955 +# https://github.com/FreeRDP/FreeRDP/commit/7d8fdce2d0ef337cb86cb37fc0c436c905e04d77 +Patch: codec-clear-fix-destination-checks.patch + +# CVE-2026-26965 +# https://github.com/FreeRDP/FreeRDP/commit/a0be5cb87d760bb1c803ad1bb835aa1e73e62abc +Patch: codec-planar-fix-missing-destination-bounds-checks.patch + BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel @@ -419,6 +427,10 @@ find %{buildroot} -name "*.a" -delete %{_libdir}/pkgconfig/winpr-tools3.pc %changelog +* Wed Mar 25 2026 Ondrej Holy - 2:3.10.3-5.3 +- Backport several CVE fixes + Resolves: RHEL-151975, RHEL-152202 + * Tue Feb 17 2026 Ondrej Holy - 2:3.10.3-5.2 - Backport several CVE fixes Resolves: RHEL-147912, RHEL-148815, RHEL-148859, RHEL-148892, RHEL-148973 diff --git a/freerdp_download_and_repack.sh b/freerdp_download_and_repack.sh old mode 100644 new mode 100755