diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-04-09 19:09:02 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-13 12:40:21 +0530 |
| commit | c9763be62bd07cefb906649011de2034ef4702a3 (patch) | |
| tree | e1834b506d3b4ebc0cabe401aec2db18d4c5f867 /meta-oe | |
| parent | a0221753e4a71c8d0dc72275ac40abd604ad30b7 (diff) | |
| download | meta-openembedded-c9763be62bd07cefb906649011de2034ef4702a3.tar.gz | |
freerdp3: fix CVE-2026-24491
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24491
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch | 52 | ||||
| -rw-r--r-- | meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch new file mode 100644 index 0000000000..958d030bfd --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2026-24491.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From ef948ef4659f59c10a71083fa8cb5d5da77e94a9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: akallabeth <akallabeth@posteo.net> | ||
| 3 | Date: Mon, 26 Jan 2026 10:06:29 +0100 | ||
| 4 | Subject: [PATCH] [channels,drdynvc] reset channel_callback before close | ||
| 5 | |||
| 6 | The channel_callback usually frees up the memory of the callback. To | ||
| 7 | ensure that there is no access to any of the data structures in it | ||
| 8 | invalidate the pointer used to access it before a free. | ||
| 9 | |||
| 10 | CVE: CVE-2026-24491 | ||
| 11 | Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/e02e052f6692550e539d10f99de9c35a23492db2] | ||
| 12 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 13 | --- | ||
| 14 | channels/drdynvc/client/drdynvc_main.c | 6 ++---- | ||
| 15 | 1 file changed, 2 insertions(+), 4 deletions(-) | ||
| 16 | |||
| 17 | diff --git a/channels/drdynvc/client/drdynvc_main.c b/channels/drdynvc/client/drdynvc_main.c | ||
| 18 | index 0b85c0fe3..64c83333a 100644 | ||
| 19 | --- a/channels/drdynvc/client/drdynvc_main.c | ||
| 20 | +++ b/channels/drdynvc/client/drdynvc_main.c | ||
| 21 | @@ -485,14 +485,13 @@ static UINT dvcman_channel_close(DVCMAN_CHANNEL* channel, BOOL perRequest, BOOL | ||
| 22 | channel->state = DVC_CHANNEL_CLOSED; | ||
| 23 | |||
| 24 | IWTSVirtualChannelCallback* cb = channel->channel_callback; | ||
| 25 | + channel->channel_callback = NULL; | ||
| 26 | if (cb) | ||
| 27 | { | ||
| 28 | check_open_close_receive(channel); | ||
| 29 | IFCALL(cb->OnClose, cb); | ||
| 30 | } | ||
| 31 | |||
| 32 | - channel->channel_callback = NULL; | ||
| 33 | - | ||
| 34 | if (channel->dvcman && channel->dvcman->drdynvc) | ||
| 35 | { | ||
| 36 | if (context) | ||
| 37 | @@ -763,14 +762,13 @@ out: | ||
| 38 | */ | ||
| 39 | static UINT dvcman_open_channel(drdynvcPlugin* drdynvc, DVCMAN_CHANNEL* channel) | ||
| 40 | { | ||
| 41 | - IWTSVirtualChannelCallback* pCallback = NULL; | ||
| 42 | UINT error = CHANNEL_RC_OK; | ||
| 43 | |||
| 44 | WINPR_ASSERT(drdynvc); | ||
| 45 | WINPR_ASSERT(channel); | ||
| 46 | if (channel->state == DVC_CHANNEL_RUNNING) | ||
| 47 | { | ||
| 48 | - pCallback = channel->channel_callback; | ||
| 49 | + IWTSVirtualChannelCallback* pCallback = channel->channel_callback; | ||
| 50 | |||
| 51 | if (pCallback->OnOpen) | ||
| 52 | { | ||
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb index c570e5fb7e..e66a4ed4da 100644 --- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb +++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb | |||
| @@ -23,6 +23,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ | |||
| 23 | file://CVE-2026-25941.patch \ | 23 | file://CVE-2026-25941.patch \ |
| 24 | file://CVE-2026-33952.patch \ | 24 | file://CVE-2026-33952.patch \ |
| 25 | file://CVE-2026-23948.patch \ | 25 | file://CVE-2026-23948.patch \ |
| 26 | file://CVE-2026-24491.patch \ | ||
| 26 | " | 27 | " |
| 27 | 28 | ||
| 28 | S = "${WORKDIR}/git" | 29 | S = "${WORKDIR}/git" |
