[oe] [meta-oe][kirkstone][PATCH 3/5] freerdp: patch CVE-2024-32459

Thu, 22 Jan 2026 22:43:40 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-32459

Pick the patch that is marked to resolve this vulnerability by
the relevant Github advisory[1].

[1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cp4q-p737-rmw9

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../freerdp/freerdp/CVE-2024-32459.patch      | 31 +++++++++++++++++++
 .../recipes-support/freerdp/freerdp_2.6.1.bb  |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch

diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch 
b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch
new file mode 100644
index 0000000000..ed665da447
--- /dev/null
+++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2024-32459.patch
@@ -0,0 +1,31 @@
+From 7570f1a12a5718a47c4260130e6a05fd518e1268 Mon Sep 17 00:00:00 2001
+From: akallabeth <[email protected]>
+Date: Tue, 16 Apr 2024 08:45:03 +0200
+Subject: [PATCH] fix missing input length check
+
+(cherry picked from commit dbe5d521001789511bbf1db97c9bc565d168e03b)
+
+CVE: CVE-2024-32459
+Upstream-Status: Backport 
[https://github.com/FreeRDP/FreeRDP/commit/b70c8e989d2807cea47bbf89e57700b5a10b2ca7]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ libfreerdp/codec/ncrush.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libfreerdp/codec/ncrush.c b/libfreerdp/codec/ncrush.c
+index c1d622a9c..199f1ed7c 100644
+--- a/libfreerdp/codec/ncrush.c
++++ b/libfreerdp/codec/ncrush.c
+@@ -2041,6 +2041,12 @@ int ncrush_decompress(NCRUSH_CONTEXT* ncrush, BYTE* 
pSrcData, UINT32 SrcSize, BY
+               return 1;
+       }
+ 
++      if (SrcSize < 4)
++      {
++              WLog_ERR(TAG, "Input size short: SrcSize %" PRIu32 " < 4", 
SrcSize);
++              return -1;
++      }
++
+       const BYTE* SrcEnd = &pSrcData[SrcSize];
+       const BYTE* SrcPtr = pSrcData + 4;
+ 
diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb 
b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
index 0a01b2095a..6d98ad36f7 100644
--- a/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
+++ b/meta-oe/recipes-support/freerdp/freerdp_2.6.1.bb
@@ -35,6 +35,7 @@ SRC_URI = 
"git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https
            file://CVE-2024-32039.patch \
            file://CVE-2024-32040.patch \
            file://CVE-2024-32458.patch \
+           file://CVE-2024-32459.patch \
            "
 
 S = "${WORKDIR}/git"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123766): 
https://lists.openembedded.org/g/openembedded-devel/message/123766
Mute This Topic: https://lists.openembedded.org/mt/117414250/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to