[oe][meta-oe][scarthgap][PATCH 3/5] freerdp3: patch CVE-2025-4478

Ankur Tyagi via lists.openembedded.org Tue, 18 Nov 2025 03:03:36 -0800

From: Ankur Tyagi <[email protected]>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-4478


Signed-off-by: Ankur Tyagi <[email protected]>
---
 .../freerdp/freerdp3/CVE-2025-4478.patch      | 60 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp3_3.4.0.bb |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch 
b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch
new file mode 100644
index 0000000000..f1315a38da
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp3/CVE-2025-4478.patch
@@ -0,0 +1,60 @@
+From 36cd5554b50656f3492197f0fc02534dcc6b980f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonas=20=C3=85dahl?= <[email protected]>
+Date: Tue, 13 May 2025 10:34:08 +0200
+Subject: [PATCH] transport: Initialize function pointers after resource
+ allocation
+
+The transport instance is freed when an error occurs.
+If the TransportDisconnect function pointer is initialized it
+causes SIGSEGV during free.
+
+CVE: CVE-2025-4478
+Upstream-Status: Backport 
[https://github.com/FreeRDP/FreeRDP/commit/a4bb702aa62e4fad91ca99142de075265555ec18]
+(cherry picked from commit a4bb702aa62e4fad91ca99142de075265555ec18)
+Signed-off-by: Ankur Tyagi <[email protected]>
+---
+ libfreerdp/core/transport.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c
+index a2a899b79..552a28a60 100644
+--- a/libfreerdp/core/transport.c
++++ b/libfreerdp/core/transport.c
+@@ -1560,18 +1560,6 @@ rdpTransport* transport_new(rdpContext* context)
+       if (!transport->log)
+               goto fail;
+ 
+-      // transport->io.DataHandler = transport_data_handler;
+-      transport->io.TCPConnect = freerdp_tcp_default_connect;
+-      transport->io.TLSConnect = transport_default_connect_tls;
+-      transport->io.TLSAccept = transport_default_accept_tls;
+-      transport->io.TransportAttach = transport_default_attach;
+-      transport->io.TransportDisconnect = transport_default_disconnect;
+-      transport->io.ReadPdu = transport_default_read_pdu;
+-      transport->io.WritePdu = transport_default_write;
+-      transport->io.ReadBytes = transport_read_layer;
+-      transport->io.GetPublicKey = transport_default_get_public_key;
+-      transport->io.SetBlockingMode = transport_default_set_blocking_mode;
+-
+       transport->context = context;
+       transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE);
+ 
+@@ -1610,6 +1598,18 @@ rdpTransport* transport_new(rdpContext* context)
+       if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 
4000))
+               goto fail;
+ 
++      // transport->io.DataHandler = transport_data_handler;
++      transport->io.TCPConnect = freerdp_tcp_default_connect;
++      transport->io.TLSConnect = transport_default_connect_tls;
++      transport->io.TLSAccept = transport_default_accept_tls;
++      transport->io.TransportAttach = transport_default_attach;
++      transport->io.TransportDisconnect = transport_default_disconnect;
++      transport->io.ReadPdu = transport_default_read_pdu;
++      transport->io.WritePdu = transport_default_write;
++      transport->io.ReadBytes = transport_read_layer;
++      transport->io.GetPublicKey = transport_default_get_public_key;
++      transport->io.SetBlockingMode = transport_default_set_blocking_mode;
++
+       return transport;
+ fail:
+       WINPR_PRAGMA_DIAG_PUSH
diff --git a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb 
b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
index a272ba0ecb..3558697d42 100644
--- a/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp3_3.4.0.bb
@@ -19,6 +19,7 @@ SRC_URI = 
"git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \
            file://CVE-2024-32660.patch \
            file://CVE-2024-32661.patch \
            file://CVE-2024-32662.patch \
+           file://CVE-2025-4478.patch \
            "
 
 S = "${WORKDIR}/git"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#121854): 
https://lists.openembedded.org/g/openembedded-devel/message/121854
Mute This Topic: https://lists.openembedded.org/mt/116354279/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[oe][meta-oe][scarthgap][PATCH 3/5] freerdp3: patch CVE-2025-4478

Reply via email to