Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:freerdp3 User: [email protected] Usertags: pu
[ Reason ] There's one more security fix from upstream, back-ported to the debian version of freerdp3 - CVE-2026-40254 - it is possible to escape specified path when sharing files through freerdp client. [ Tests ] The resulting binaries works, including transferring files the normal way. I haven't tried exploiting the bug to see if it's fixed, though. [ Risks ] This change, unlike the previous ones, is a low-risk change, because it's small and confined in the code which didn't change much in subsequent (after debian) upstream releases, and the fix is small too. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Other info ] In order for the actual patch to apply cleanly, I picked up another change in this area too, which is a warning fix. Thanks, /mjt diff -Nru freerdp3-3.15.0+dfsg/debian/changelog freerdp3-3.15.0+dfsg/debian/changelog --- freerdp3-3.15.0+dfsg/debian/changelog 2026-04-03 18:45:10.000000000 +0300 +++ freerdp3-3.15.0+dfsg/debian/changelog 2026-05-06 11:13:18.000000000 +0300 @@ -1,3 +1,15 @@ +freerdp3 (3.15.0+dfsg-2.1+deb13u3) trixie; urgency=medium + + * security fix from 3.25.0: + + CVE-2026-40254 off-by-one in the path traversal filter in + channels/drive/client/drive_file.c:contains_dotdot() + https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx + clang-warnings-fix-Wjump-misses-init.patch + channels-drive-refine-bounds-checks-CVE-2026-40254.patch + + -- Michael Tokarev <[email protected]> Wed, 06 May 2026 11:13:18 +0300 + freerdp3 (3.15.0+dfsg-2.1+deb13u2) trixie; urgency=medium * security fixes for client from 3.24.0 (medium): diff -Nru freerdp3-3.15.0+dfsg/debian/patches/channels-drive-refine-bounds-checks-CVE-2026-40254.patch freerdp3-3.15.0+dfsg/debian/patches/channels-drive-refine-bounds-checks-CVE-2026-40254.patch --- freerdp3-3.15.0+dfsg/debian/patches/channels-drive-refine-bounds-checks-CVE-2026-40254.patch 1970-01-01 03:00:00.000000000 +0300 +++ freerdp3-3.15.0+dfsg/debian/patches/channels-drive-refine-bounds-checks-CVE-2026-40254.patch 2026-05-06 11:04:05.000000000 +0300 @@ -0,0 +1,39 @@ +From: Armin Novak <[email protected]> +Date: Fri, 10 Apr 2026 08:45:55 +0200 +Subject: [channels,drive] refine bounds checks +Origin: upstream, https://github.com/FreeRDP/FreeRDP/commit/f502dbb8462597fbe5b97f890359dfdecb525bf7 +Forwarded: not-needed +Bug: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3xpj-m4hx-8vmx +Bug: https://security-tracker.debian.org/tracker/CVE-2026-40254 +Comment: context & nullptr fixups for 3.15 by mjt + +* better logging, fix wrong path component printed +* ensure path does not end with path/.. + +diff --git a/channels/drive/client/drive_file.c b/channels/drive/client/drive_file.c +--- a/channels/drive/client/drive_file.c ++++ b/channels/drive/client/drive_file.c +@@ -113,6 +113,8 @@ static BOOL contains_dotdot(const WCHAR* path, size_t base_length, size_t path_l + if ((tst[2] == '/') || (tst[2] == '\\')) + return TRUE; + } ++ else ++ return TRUE; + } + tst += 2; + } while (TRUE); +@@ -147,11 +149,10 @@ static WCHAR* drive_file_combine_fullpath(const WCHAR* base_path, const WCHAR* p + /* Ensure the path does not contain sequences like '..' */ + if (contains_dotdot(&fullpath[base_path_length], base_path_length, PathWCharLength)) + { +- char abuffer[MAX_PATH] = { 0 }; +- (void)ConvertWCharToUtf8(&fullpath[base_path_length], abuffer, ARRAYSIZE(abuffer)); +- ++ char* abuffer = ConvertWCharToUtf8Alloc(&fullpath[base_path_length], NULL); + WLog_WARN(TAG, "[rdpdr] received invalid file path '%s' from server, aborting!", +- &abuffer[base_path_length]); ++ abuffer); ++ free(abuffer); + goto fail; + } + } diff -Nru freerdp3-3.15.0+dfsg/debian/patches/clang-warnings-fix-Wjump-misses-init.patch freerdp3-3.15.0+dfsg/debian/patches/clang-warnings-fix-Wjump-misses-init.patch --- freerdp3-3.15.0+dfsg/debian/patches/clang-warnings-fix-Wjump-misses-init.patch 1970-01-01 03:00:00.000000000 +0300 +++ freerdp3-3.15.0+dfsg/debian/patches/clang-warnings-fix-Wjump-misses-init.patch 2026-05-06 11:04:05.000000000 +0300 @@ -0,0 +1,87 @@ +From: Armin Novak <[email protected]> +Date: Thu, 8 Jan 2026 10:32:29 +0100 +Subject: [clang,warnings] fix Wjump-misses-init +Origin: upstream, https://github.com/FreeRDP/FreeRDP/commit/15b0085ddfbb0e98ad189311fe9d652ea502adcc +Forwarded: not-needed +Comment: preparation for CVE-2026-40254 fix + +--- + channels/drive/client/drive_file.c | 50 ++++++++++++++++-------------- + 1 file changed, 27 insertions(+), 23 deletions(-) + +diff --git a/channels/drive/client/drive_file.c b/channels/drive/client/drive_file.c +--- a/channels/drive/client/drive_file.c ++++ b/channels/drive/client/drive_file.c +@@ -129,29 +129,31 @@ static WCHAR* drive_file_combine_fullpath(const WCHAR* base_path, const WCHAR* p + if (!base_path || (!path && (PathWCharLength > 0))) + goto fail; + +- const size_t base_path_length = _wcsnlen(base_path, MAX_PATH); +- const size_t length = base_path_length + PathWCharLength + 1; +- fullpath = (WCHAR*)calloc(length, sizeof(WCHAR)); ++ { ++ const size_t base_path_length = _wcsnlen(base_path, MAX_PATH); ++ const size_t length = base_path_length + PathWCharLength + 1; ++ fullpath = (WCHAR*)calloc(length, sizeof(WCHAR)); + +- if (!fullpath) +- goto fail; ++ if (!fullpath) ++ goto fail; + +- CopyMemory(fullpath, base_path, base_path_length * sizeof(WCHAR)); +- if (path) +- CopyMemory(&fullpath[base_path_length], path, PathWCharLength * sizeof(WCHAR)); ++ CopyMemory(fullpath, base_path, base_path_length * sizeof(WCHAR)); ++ if (path) ++ CopyMemory(&fullpath[base_path_length], path, PathWCharLength * sizeof(WCHAR)); + +- if (!drive_file_fix_path(fullpath, length)) +- goto fail; ++ if (!drive_file_fix_path(fullpath, length)) ++ goto fail; + +- /* Ensure the path does not contain sequences like '..' */ +- if (contains_dotdot(&fullpath[base_path_length], base_path_length, PathWCharLength)) +- { +- char abuffer[MAX_PATH] = { 0 }; +- (void)ConvertWCharToUtf8(&fullpath[base_path_length], abuffer, ARRAYSIZE(abuffer)); ++ /* Ensure the path does not contain sequences like '..' */ ++ if (contains_dotdot(&fullpath[base_path_length], base_path_length, PathWCharLength)) ++ { ++ char abuffer[MAX_PATH] = { 0 }; ++ (void)ConvertWCharToUtf8(&fullpath[base_path_length], abuffer, ARRAYSIZE(abuffer)); + +- WLog_WARN(TAG, "[rdpdr] received invalid file path '%s' from server, aborting!", +- &abuffer[base_path_length]); +- goto fail; ++ WLog_WARN(TAG, "[rdpdr] received invalid file path '%s' from server, aborting!", ++ &abuffer[base_path_length]); ++ goto fail; ++ } + } + + ok = TRUE; +@@ -617,12 +619,14 @@ BOOL drive_file_query_information(DRIVE_FILE* file, UINT32 FsInformationClass, w + + /* If we failed before (i.e. if information for a drive is queried) fall back to + * GetFileAttributesExW */ +- WIN32_FILE_ATTRIBUTE_DATA fileAttributes = { 0 }; +- if (!GetFileAttributesExW(file->fullpath, GetFileExInfoStandard, &fileAttributes)) +- goto out_fail; ++ { ++ WIN32_FILE_ATTRIBUTE_DATA fileAttributes = { 0 }; ++ if (!GetFileAttributesExW(file->fullpath, GetFileExInfoStandard, &fileAttributes)) ++ goto out_fail; + +- if (!drive_file_query_from_attributes(file, &fileAttributes, FsInformationClass, output)) +- goto out_fail; ++ if (!drive_file_query_from_attributes(file, &fileAttributes, FsInformationClass, output)) ++ goto out_fail; ++ } + + return TRUE; + out_fail: +-- +2.47.3 + diff -Nru freerdp3-3.15.0+dfsg/debian/patches/series freerdp3-3.15.0+dfsg/debian/patches/series --- freerdp3-3.15.0+dfsg/debian/patches/series 2026-04-03 18:45:10.000000000 +0300 +++ freerdp3-3.15.0+dfsg/debian/patches/series 2026-05-06 11:04:05.000000000 +0300 @@ -100,3 +100,6 @@ codec-h264-update-H264_CONTEXT-width-height-after-al-CVE-2026-33986.patch cache-persistent-update-PERSISTENT_CACHE_ENTRY-size--CVE-2026-33987.patch cache-persist-use-winpr_aligned_calloc-CVE-2026-33982.patch +# 3.25.0: +clang-warnings-fix-Wjump-misses-init.patch +channels-drive-refine-bounds-checks-CVE-2026-40254.patch
