Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
please unblock freerdp3/3.15.0+dfsg-2.1:
* cherry-pick of upstreams fix to a denial of service-issue that can
be triggered by sending specially crafted RDP packages
[CVE-2025-4478] (#1105917)
https://github.com/FreeRDP/FreeRDP/pull/11573/commits
* debdiff is attached.
Regards,
Daniel
diff -Nru freerdp3-3.15.0+dfsg/debian/changelog freerdp3-3.15.0+dfsg/debian/changelog
--- freerdp3-3.15.0+dfsg/debian/changelog 2025-04-24 09:18:41.000000000 +0000
+++ freerdp3-3.15.0+dfsg/debian/changelog 2025-05-26 12:38:19.000000000 +0000
@@ -1,3 +1,14 @@
+freerdp3 (3.15.0+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-picking patch from upstream:
+ - A flaw was found where a crafted RDP packet could trigger a segmentation
+ fault. This causes FreeRDP to crash and remain defunct, resulting in a
+ denial of service. Initializing function pointers in transport.c after
+ resource allocation fixes this [CVE-2025-4478] (Closes: #1105917).
+
+ -- Daniel Baumann <dan...@debian.org> Mon, 26 May 2025 14:38:19 +0200
+
freerdp3 (3.15.0+dfsg-2) unstable; urgency=medium
[ Bernhard Miklautz ]
diff -Nru freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch
--- freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch 1970-01-01 00:00:00.000000000 +0000
+++ freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch 2025-05-26 12:38:19.000000000 +0000
@@ -0,0 +1,61 @@
+From a4bb702aa62e4fad91ca99142de075265555ec18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jad...@gmail.com>
+Date: Tue, 13 May 2025 10:34:08 +0200
+Subject: [PATCH] transport: Initialize function pointers after resource
+ allocation
+
+The transport instance is freed when an error occurs.
+If the TransportDisconnect function pointer is initialized it
+causes SIGSEGV during free.
+
+CVE: CVE-2025-4478
+---
+ libfreerdp/core/transport.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c
+index d199c31be4a5..2ca146f65133 100644
+--- a/libfreerdp/core/transport.c
++++ b/libfreerdp/core/transport.c
+@@ -1646,20 +1646,6 @@ rdpTransport* transport_new(rdpContext* context)
+ if (!transport->log)
+ goto fail;
+
+- // transport->io.DataHandler = transport_data_handler;
+- transport->io.TCPConnect = freerdp_tcp_default_connect;
+- transport->io.TLSConnect = transport_default_connect_tls;
+- transport->io.TLSAccept = transport_default_accept_tls;
+- transport->io.TransportAttach = transport_default_attach;
+- transport->io.TransportDisconnect = transport_default_disconnect;
+- transport->io.ReadPdu = transport_default_read_pdu;
+- transport->io.WritePdu = transport_default_write;
+- transport->io.ReadBytes = transport_read_layer;
+- transport->io.GetPublicKey = transport_default_get_public_key;
+- transport->io.SetBlockingMode = transport_default_set_blocking_mode;
+- transport->io.ConnectLayer = transport_default_connect_layer;
+- transport->io.AttachLayer = transport_default_attach_layer;
+-
+ transport->context = context;
+ transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE);
+
+@@ -1698,6 +1684,20 @@ rdpTransport* transport_new(rdpContext* context)
+ if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 4000))
+ goto fail;
+
++ // transport->io.DataHandler = transport_data_handler;
++ transport->io.TCPConnect = freerdp_tcp_default_connect;
++ transport->io.TLSConnect = transport_default_connect_tls;
++ transport->io.TLSAccept = transport_default_accept_tls;
++ transport->io.TransportAttach = transport_default_attach;
++ transport->io.TransportDisconnect = transport_default_disconnect;
++ transport->io.ReadPdu = transport_default_read_pdu;
++ transport->io.WritePdu = transport_default_write;
++ transport->io.ReadBytes = transport_read_layer;
++ transport->io.GetPublicKey = transport_default_get_public_key;
++ transport->io.SetBlockingMode = transport_default_set_blocking_mode;
++ transport->io.ConnectLayer = transport_default_connect_layer;
++ transport->io.AttachLayer = transport_default_attach_layer;
++
+ return transport;
+ fail:
+ WINPR_PRAGMA_DIAG_PUSH
diff -Nru freerdp3-3.15.0+dfsg/debian/patches/series freerdp3-3.15.0+dfsg/debian/patches/series
--- freerdp3-3.15.0+dfsg/debian/patches/series 2025-04-24 09:00:49.000000000 +0000
+++ freerdp3-3.15.0+dfsg/debian/patches/series 2025-05-26 12:32:22.000000000 +0000
@@ -9,3 +9,4 @@
winpr-sysinfo-use-a-single-clock-to-provide-System-a.patch
fix-resources-remove-MimeType-from-desktop-file.patch
gcc-fix-server-side-connection-with-multiple-monitor.patch
+CVE-2025-4478.patch