From fc1af750ed0a7dc0971afe0f06cf71dfddabecaf Mon Sep 17 00:00:00 2001 From: Ondrej Holy Date: Thu, 16 Apr 2026 16:19:11 +0200 Subject: [PATCH] Backport several CVE fixes It fixes CVE-2026-33983 and CVE-2026-33984. Also remove unused channels-audin-fix-audin_server_recv_formats-cleanup.patch from the tree. Resolves: RHEL-162960, RHEL-162986 Made-with: Cursor --- ...ix-audin_server_recv_formats-cleanup.patch | 28 ------ ...te-CLEAR_VBAR_ENTRY-size-after-alloc.patch | 35 ++++++++ ...sive_rfx_quant_sub-on-invalid-values.patch | 89 +++++++++++++++++++ ...w-guard-in-progressive_rfx_quant_sub.patch | 29 ++++++ freerdp.spec | 17 +++- 5 files changed, 169 insertions(+), 29 deletions(-) delete mode 100644 channels-audin-fix-audin_server_recv_formats-cleanup.patch create mode 100644 codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch create mode 100644 codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch create mode 100644 codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch diff --git a/channels-audin-fix-audin_server_recv_formats-cleanup.patch b/channels-audin-fix-audin_server_recv_formats-cleanup.patch deleted file mode 100644 index 073032f..0000000 --- a/channels-audin-fix-audin_server_recv_formats-cleanup.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 3b403f9bfe3fc5f2d45151bd685ba17af65dcc05 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Thu, 12 Mar 2026 15:43:14 +0100 -Subject: [PATCH] [channels,audin] fix audin_server_recv_formats cleanup - -Backport of commit 1c5c74223179d425a1ce6dbbb6a3dd2a958b7aee. - -Made-with: Cursor ---- - channels/audin/server/audin.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/channels/audin/server/audin.c b/channels/audin/server/audin.c -index 8252236f8..17e487a47 100644 ---- a/channels/audin/server/audin.c -+++ b/channels/audin/server/audin.c -@@ -215,7 +215,7 @@ static UINT audin_server_recv_formats(audin_server* audin, wStream* s, UINT32 le - - if (!audio_format_read(s, format)) - { -- audio_formats_free(audin->context.client_formats, i); -+ audio_formats_free(audin->context.client_formats, audin->context.num_client_formats); - audin->context.client_formats = NULL; - WLog_ERR(TAG, "expected length at least 18, but got %" PRIu32 "", length); - return ERROR_INVALID_DATA; --- -2.53.0 - diff --git a/codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch b/codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch new file mode 100644 index 0000000..3ffe84a --- /dev/null +++ b/codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch @@ -0,0 +1,35 @@ +From a2dde6d9832cb032e8cf12cab3da84dafbab9006 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Fri, 10 Apr 2026 11:32:09 +0200 +Subject: [PATCH] [codec,clear] update CLEAR_VBAR_ENTRY::size after alloc + +Backport of commit a2dde6d9832cb032e8cf12cab3da84dafbab9006. + +Made-with: Cursor +--- + libfreerdp/codec/clear.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c +index e38fa0d..eda30ad 100644 +--- a/libfreerdp/codec/clear.c ++++ b/libfreerdp/codec/clear.c +@@ -565,7 +565,6 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry) + const UINT32 oldPos = vBarEntry->size * bpp; + const UINT32 diffSize = (vBarEntry->count - vBarEntry->size) * bpp; + BYTE* tmp; +- vBarEntry->size = vBarEntry->count; + tmp = (BYTE*)realloc(vBarEntry->pixels, 1ull * vBarEntry->count * bpp); + + if (!tmp) +@@ -576,6 +575,7 @@ static BOOL resize_vbar_entry(CLEAR_CONTEXT* clear, CLEAR_VBAR_ENTRY* vBarEntry) + + memset(&tmp[oldPos], 0, diffSize); + vBarEntry->pixels = tmp; ++ vBarEntry->size = vBarEntry->count; + } + + if (!vBarEntry->pixels && vBarEntry->size) +-- +2.49.0 + diff --git a/codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch b/codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch new file mode 100644 index 0000000..3f02417 --- /dev/null +++ b/codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch @@ -0,0 +1,89 @@ +From 78188ab479c8e6eb9ba2475b3732c76b4bbe5425 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 13 Apr 2026 14:00:00 +0200 +Subject: [PATCH] [codec,progressive] Fail progressive_rfx_quant_sub on invalid + values + +Backport of commit 78188ab479c8e6eb9ba2475b3732c76b4bbe5425. + +Made-with: Cursor +--- + libfreerdp/codec/progressive.c | 42 ++++++++++++++++++++++++++++++---- + 1 file changed, 38 insertions(+), 4 deletions(-) + +diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c +index 8894b35..bbcc921 100644 +--- a/libfreerdp/codec/progressive.c ++++ b/libfreerdp/codec/progressive.c +@@ -155,20 +155,51 @@ static INLINE void progressive_rfx_quant_lsub(RFX_COMPONENT_CODEC_QUANT* q, int + q->LL3 -= val; /* LL3 */ + } + +-static INLINE void progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1, ++static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1, + const RFX_COMPONENT_CODEC_QUANT* q2, + RFX_COMPONENT_CODEC_QUANT* dst) + { ++ if (q1->HH1 < q2->HL1) ++ return FALSE; + dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */ ++ ++ if (q1->LH1 < q2->LH1) ++ return FALSE; + dst->LH1 = q1->LH1 - q2->LH1; /* LH1 */ ++ ++ if (q1->HH1 < q2->HH1) ++ return FALSE; + dst->HH1 = q1->HH1 - q2->HH1; /* HH1 */ ++ ++ if (q1->HL2 < q2->HL2) ++ return FALSE; + dst->HL2 = q1->HL2 - q2->HL2; /* HL2 */ ++ ++ if (q1->LH2 < q2->LH2) ++ return FALSE; + dst->LH2 = q1->LH2 - q2->LH2; /* LH2 */ ++ ++ if (q1->HH2 < q2->HH2) ++ return FALSE; + dst->HH2 = q1->HH2 - q2->HH2; /* HH2 */ ++ ++ if (q1->HL3 < q2->HL3) ++ return FALSE; + dst->HL3 = q1->HL3 - q2->HL3; /* HL3 */ ++ ++ if (q1->LH3 < q2->LH3) ++ return FALSE; + dst->LH3 = q1->LH3 - q2->LH3; /* LH3 */ ++ ++ if (q1->HH3 < q2->HH3) ++ return FALSE; + dst->HH3 = q1->HH3 - q2->HH3; /* HH3 */ ++ ++ if (q1->LL3 < q2->LL3) ++ return FALSE; + dst->LL3 = q1->LL3 - q2->LL3; /* LL3 */ ++ ++ return TRUE; + } + + static INLINE BOOL progressive_rfx_quant_lcmp_less_equal(const RFX_COMPONENT_CODEC_QUANT* q, +@@ -1433,9 +1464,12 @@ static INLINE int progressive_decompress_tile_upgrade(PROGRESSIVE_CONTEXT* progr + progressive_rfx_quant_add(quantY, quantProgY, &yBitPos); + progressive_rfx_quant_add(quantCb, quantProgCb, &cbBitPos); + progressive_rfx_quant_add(quantCr, quantProgCr, &crBitPos); +- progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits); +- progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits); +- progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits); ++ if (!progressive_rfx_quant_sub(&(tile->yBitPos), &yBitPos, &yNumBits)) ++ goto fail; ++ if (!progressive_rfx_quant_sub(&(tile->cbBitPos), &cbBitPos, &cbNumBits)) ++ goto fail; ++ if (!progressive_rfx_quant_sub(&(tile->crBitPos), &crBitPos, &crNumBits)) ++ goto fail; + progressive_rfx_quant_add(quantY, quantProgY, &shiftY); + progressive_rfx_quant_lsub(&shiftY, 1); /* -6 + 5 = -1 */ + progressive_rfx_quant_add(quantCb, quantProgCb, &shiftCb); +-- +2.49.0 + diff --git a/codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch b/codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch new file mode 100644 index 0000000..acb6af7 --- /dev/null +++ b/codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch @@ -0,0 +1,29 @@ +From 78677dc6e262f46937d00c3aa52381e4bb198fa5 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 13 Apr 2026 14:00:00 +0200 +Subject: [PATCH] [codec,progressive] fix underflow guard in + progressive_rfx_quant_sub + +Backport of commit 78677dc6e262f46937d00c3aa52381e4bb198fa5. + +Made-with: Cursor +--- + libfreerdp/codec/progressive.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libfreerdp/codec/progressive.c b/libfreerdp/codec/progressive.c +index bbcc921..1234567 100644 +--- a/libfreerdp/codec/progressive.c ++++ b/libfreerdp/codec/progressive.c +@@ -158,7 +158,7 @@ static INLINE BOOL progressive_rfx_quant_sub(const RFX_COMPONENT_CODEC_QUANT* q1 + const RFX_COMPONENT_CODEC_QUANT* q2, + RFX_COMPONENT_CODEC_QUANT* dst) + { +- if (q1->HH1 < q2->HL1) ++ if (q1->HL1 < q2->HL1) + return FALSE; + dst->HL1 = q1->HL1 - q2->HL1; /* HL1 */ + +-- +2.49.0 + diff --git a/freerdp.spec b/freerdp.spec index 9bc7672..db1d9ae 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -27,7 +27,7 @@ Name: freerdp Version: 2.11.7 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 Summary: Free implementation of the Remote Desktop Protocol (RDP) License: ASL 2.0 @@ -147,6 +147,16 @@ Patch: channel-rdpsnd-only-clean-up-thread-before-free.patch Patch: codec-nsc-limit-copy-area-in-nsc_process_message.patch Patch: codec-nsc-fix-use-of-nsc_process_message.patch +# CVE-2026-33984 +# https://github.com/FreeRDP/FreeRDP/commit/a2dde6d9832cb032e8cf12cab3da84dafbab9006 +Patch: codec-clear-update-CLEAR_VBAR_ENTRY-size-after-alloc.patch + +# CVE-2026-33983 +# https://github.com/FreeRDP/FreeRDP/commit/78188ab479c8e6eb9ba2475b3732c76b4bbe5425 +# https://github.com/FreeRDP/FreeRDP/commit/78677dc6e262f46937d00c3aa52381e4bb198fa5 +Patch: codec-progressive-fail-progressive_rfx_quant_sub-on-invalid-values.patch +Patch: codec-progressive-fix-underflow-guard-in-progressive_rfx_quant_sub.patch + BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel @@ -404,6 +414,11 @@ find %{buildroot} -name "*.a" -delete %{_libdir}/pkgconfig/winpr-tools2.pc %changelog +* Fri Apr 10 2026 Ondrej Holy - 2:2.11.7-8 +- Update CLEAR_VBAR_ENTRY size after alloc (CVE-2026-33984) +- Fail progressive_rfx_quant_sub on invalid values (CVE-2026-33983) + Resolves: RHEL-162960, RHEL-162986 + * Tue Mar 31 2026 Ondrej Holy - 2:2.11.7-7 - Fix use of nsc_process_message Resolves: RHEL-155994