freerdp: patch CVE-2026-22855

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22855 The related Github advisory[1] describes the problem along with analyzing where the vulnerability is in the codebase. I looked up the commit that recently performed the changes from the analysis, and backported it. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-10 06:48:01 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-02-10 21:11:45 -0800
commit: 48dc68c36699583c2d7e4521464e8dce4c31bbba (patch)
tree: f7c016b1ffc8ae071a0cc72d64fbaab13f200b3f
parent: 0b61ca33555feb7db8fffa93e83d0b626c551e8c (diff)
download: meta-openembedded-48dc68c36699583c2d7e4521464e8dce4c31bbba.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch
new file mode 100644
index 0000000000..ec0c3a75ec
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch
@@ -0,0 +1,83 @@
+From df1132783e49ebeaa30206a67b70c7a37f3c5650 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Sun, 11 Jan 2026 09:03:57 +0100
+Subject: [PATCH] add length validity checks
+From: akallabeth <akallabeth@posteo.net>
+in smartcard_unpack_set_attrib_call input length validity checks were
+missing.
+CVE: CVE-2026-22855
+Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/57c5647d98c2a026de8b681159cb188ca0439ef8]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ channels/smartcard/client/smartcard_pack.c | 27 +++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c
+index f70eb4e5d..c0673e066 100644
+--- a/channels/smartcard/client/smartcard_pack.c
+++ b/channels/smartcard/client/smartcard_pack.c
+@@ -98,8 +98,8 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* index, UINT32* ptr,
+        return TRUE;
+ }
+ 
+-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
+-                               ndr_ptr_t type)
+static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize,
+                               ndr_ptr_t type, size_t* plen)
+ {
+        size_t len, offset, len2;
+        void* r;
+@@ -125,6 +125,9 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
+                return STATUS_BUFFER_TOO_SMALL;
+        }
+ 
+       if (plen)
+               *plen = 0;
+
+        switch (type)
+        {
+                case NDR_PTR_FULL:
+@@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
+        if (!r)
+                return SCARD_E_NO_MEMORY;
+        Stream_Read(s, r, len);
+-       smartcard_unpack_read_size_align(NULL, s, len, 4);
+       const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
+       len += (size_t)pad;
+        *data = r;
+       if (plen)
+               *plen = len;
+        return STATUS_SUCCESS;
+ }
+ 
+static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
+                               ndr_ptr_t type)
+{
+       return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
+}
+
+ static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length)
+ {
+        const UINT32 ndrPtr = 0x20000 + (*index) * 4;
+@@ -3427,12 +3439,15 @@ LONG smartcard_unpack_set_attrib_call(SMARTCARD_DEVICE* smartcard, wStream* s, S
+ 
+        if (ndrPtr)
+        {
+-               // TODO: call->cbAttrLen was larger than the pointer value.
+-               // TODO: Maybe need to refine the checks?
+-               status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE);
+               size_t len = 0;
+               status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len);
+                if (status != SCARD_S_SUCCESS)
+                        return status;
+               if (call->cbAttrLen > len)
+                       call->cbAttrLen = (DWORD)(len);
+        }
+       else
+               call->cbAttrLen = 0;
+        smartcard_trace_set_attrib_call(smartcard, call);
+        return SCARD_S_SUCCESS;
+ }
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
index 0bdf56938b..3ee4f99c1a 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
           file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
           file://CVE-2024-32661.patch \
           file://CVE-2026-22854.patch \
+           file://CVE-2026-22855.patch \
           "
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-10 06:48:01 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-02-10 21:11:45 -0800
commit	48dc68c36699583c2d7e4521464e8dce4c31bbba (patch)
tree	f7c016b1ffc8ae071a0cc72d64fbaab13f200b3f
parent	0b61ca33555feb7db8fffa93e83d0b626c551e8c (diff)
download	meta-openembedded-48dc68c36699583c2d7e4521464e8dce4c31bbba.tar.gz

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch new file mode 100644 index 0000000000..ec0c3a75ec --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-22855.patch
@@ -0,0 +1,83 @@
		1	From df1132783e49ebeaa30206a67b70c7a37f3c5650 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Sun, 11 Jan 2026 09:03:57 +0100
		4	Subject: [PATCH] add length validity checks
		5
		6	From: akallabeth <akallabeth@posteo.net>
		7
		8	in smartcard_unpack_set_attrib_call input length validity checks were
		9	missing.
		10
		11	CVE: CVE-2026-22855
		12	Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/57c5647d98c2a026de8b681159cb188ca0439ef8]
		13	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		14	---
		15	channels/smartcard/client/smartcard_pack.c \| 27 +++++++++++++++++-----
		16	1 file changed, 21 insertions(+), 6 deletions(-)
		17
		18	diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c
		19	index f70eb4e5d..c0673e066 100644
		20	--- a/channels/smartcard/client/smartcard_pack.c
		21	+++ b/channels/smartcard/client/smartcard_pack.c
		22	@@ -98,8 +98,8 @@ static BOOL smartcard_ndr_pointer_read_(wStream* s, UINT32* index, UINT32* ptr,
		23	return TRUE;
		24	}
		25
		26	-static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
		27	- ndr_ptr_t type)
		28	+static LONG smartcard_ndr_read_ex(wStream* s, BYTE** data, size_t min, size_t elementSize,
		29	+ ndr_ptr_t type, size_t* plen)
		30	{
		31	size_t len, offset, len2;
		32	void* r;
		33	@@ -125,6 +125,9 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
		34	return STATUS_BUFFER_TOO_SMALL;
		35	}
		36
		37	+ if (plen)
		38	+ *plen = 0;
		39	+
		40	switch (type)
		41	{
		42	case NDR_PTR_FULL:
		43	@@ -181,11 +184,20 @@ static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t eleme
		44	if (!r)
		45	return SCARD_E_NO_MEMORY;
		46	Stream_Read(s, r, len);
		47	- smartcard_unpack_read_size_align(NULL, s, len, 4);
		48	+ const LONG pad = smartcard_unpack_read_size_align(NULL, s, len, 4);
		49	+ len += (size_t)pad;
		50	*data = r;
		51	+ if (plen)
		52	+ *plen = len;
		53	return STATUS_SUCCESS;
		54	}
		55
		56	+static LONG smartcard_ndr_read(wStream* s, BYTE** data, size_t min, size_t elementSize,
		57	+ ndr_ptr_t type)
		58	+{
		59	+ return smartcard_ndr_read_ex(s, data, min, elementSize, type, NULL);
		60	+}
		61	+
		62	static BOOL smartcard_ndr_pointer_write(wStream* s, UINT32* index, DWORD length)
		63	{
		64	const UINT32 ndrPtr = 0x20000 + (index) 4;
		65	@@ -3427,12 +3439,15 @@ LONG smartcard_unpack_set_attrib_call(SMARTCARD_DEVICE* smartcard, wStream* s, S
		66
		67	if (ndrPtr)
		68	{
		69	- // TODO: call->cbAttrLen was larger than the pointer value.
		70	- // TODO: Maybe need to refine the checks?
		71	- status = smartcard_ndr_read(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE);
		72	+ size_t len = 0;
		73	+ status = smartcard_ndr_read_ex(s, &call->pbAttr, 0, 1, NDR_PTR_SIMPLE, &len);
		74	if (status != SCARD_S_SUCCESS)
		75	return status;
		76	+ if (call->cbAttrLen > len)
		77	+ call->cbAttrLen = (DWORD)(len);
		78	}
		79	+ else
		80	+ call->cbAttrLen = 0;
		81	smartcard_trace_set_attrib_call(smartcard, call);
		82	return SCARD_S_SUCCESS;
		83	}


diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb index 0bdf56938b..3ee4f99c1a 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb
@@ -25,6 +25,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
25	file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \	25	file://0001-Fixed-compilation-warnings-in-ainput-channel.patch \
26	file://CVE-2024-32661.patch \	26	file://CVE-2024-32661.patch \
27	file://CVE-2026-22854.patch \	27	file://CVE-2026-22854.patch \
		28	file://CVE-2026-22855.patch \
28	"	29	"
29		30
30		31