From a0221753e4a71c8d0dc72275ac40abd604ad30b7 Mon Sep 17 00:00:00 2001 From: Ankur Tyagi Date: Thu, 9 Apr 2026 19:09:01 +1200 Subject: [PATCH] freerdp3: fix CVE-2026-23948 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23948 Signed-off-by: Ankur Tyagi Signed-off-by: Anuj Mittal --- .../freerdp/freerdp3/CVE-2026-23948.patch | 55 +++++++++++++++++++ .../recipes-support/freerdp/freerdp3_3.4.0.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-23948.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-23948.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-23948.patch new file mode 100644 index 0000000000..4e232eae0c --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-23948.patch @@ -0,0 +1,55 @@ +From b5693e6cc688e7cd36016f53392998b1945ff7df Mon Sep 17 00:00:00 2001 +From: akallabeth +Date: Mon, 19 Jan 2026 20:11:24 +0100 +Subject: [PATCH] [core,info] fix missing NULL check + +CVE: CVE-2026-23948 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/4d44e3c097656a8b9ec696353647b0888ca45860] +Signed-off-by: Ankur Tyagi +--- + libfreerdp/core/info.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c +index 3395e4d2e..81e59a060 100644 +--- a/libfreerdp/core/info.c ++++ b/libfreerdp/core/info.c +@@ -1424,7 +1424,7 @@ static BOOL rdp_write_logon_info_v1(wStream* s, logon_info* info) + return TRUE; + } + +-static BOOL rdp_write_logon_info_v2(wStream* s, logon_info* info) ++static BOOL rdp_write_logon_info_v2(wStream* s, const logon_info* info) + { + size_t domainLen = 0; + size_t usernameLen = 0; +@@ -1439,11 +1439,13 @@ static BOOL rdp_write_logon_info_v2(wStream* s, logon_info* info) + */ + Stream_Write_UINT32(s, logonInfoV2Size); + Stream_Write_UINT32(s, info->sessionId); +- domainLen = strnlen(info->domain, UINT32_MAX); ++ if (info->domain) ++ domainLen = strnlen(info->domain, UINT32_MAX); + if (domainLen >= UINT32_MAX / sizeof(WCHAR)) + return FALSE; + Stream_Write_UINT32(s, (UINT32)(domainLen + 1) * sizeof(WCHAR)); +- usernameLen = strnlen(info->username, UINT32_MAX); ++ if (info->username) ++ usernameLen = strnlen(info->username, UINT32_MAX); + if (usernameLen >= UINT32_MAX / sizeof(WCHAR)) + return FALSE; + Stream_Write_UINT32(s, (UINT32)(usernameLen + 1) * sizeof(WCHAR)); +@@ -1510,10 +1512,11 @@ static BOOL rdp_write_logon_info_ex(wStream* s, logon_info_ex* info) + + BOOL rdp_send_save_session_info(rdpContext* context, UINT32 type, void* data) + { +- wStream* s = NULL; + BOOL status = 0; ++ ++ WINPR_ASSERT(context); + rdpRdp* rdp = context->rdp; +- s = rdp_data_pdu_init(rdp); ++ wStream* s = rdp_data_pdu_init(rdp); + + if (!s) + return FALSE; diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb index 18795551ec..c570e5fb7e 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb @@ -22,6 +22,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ file://CVE-2025-4478.patch \ file://CVE-2026-25941.patch \ file://CVE-2026-33952.patch \ + file://CVE-2026-23948.patch \ " S = "${WORKDIR}/git"