Details: https://nvd.nist.gov/vuln/detail/CVE-2026-23532
The related Github advisory[1] contains a detailed analysis about the vulnerability. Pick the patch that describes the same issue in its description. [1]: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../freerdp/freerdp/CVE-2026-23532.patch | 49 +++++++++++++++++++ .../recipes-support/freerdp/freerdp_2.11.7.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch diff --git a/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch new file mode 100644 index 0000000000..80d4af30b9 --- /dev/null +++ b/meta-oe/recipes-support/freerdp/freerdp/CVE-2026-23532.patch @@ -0,0 +1,49 @@ +From 51929613e6897489736a35eaaf14a3accf143963 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Thu, 15 Jan 2026 12:04:36 +0100 +Subject: [PATCH] properly clamp SurfaceToSurface + +From: akallabeth <[email protected]> + +CVE: CVE-2026-23532 +Upstream-Status: Backport [https://github.com/FreeRDP/FreeRDP/commit/c4a7c371342edf0d307cea728f56d3302f0ab38c] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + libfreerdp/gdi/gfx.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c +index 3970715e0..812568bbb 100644 +--- a/libfreerdp/gdi/gfx.c ++++ b/libfreerdp/gdi/gfx.c +@@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, + UINT status = ERROR_INTERNAL_ERROR; + UINT16 index; + BOOL sameSurface; +- UINT32 nWidth, nHeight; + const RECTANGLE_16* rectSrc; + RECTANGLE_16 invalidRect; + gdiGfxSurface* surfaceSrc; +@@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, + if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height)) + goto fail; + +- nWidth = rectSrc->right - rectSrc->left; +- nHeight = rectSrc->bottom - rectSrc->top; ++ const UINT32 nWidth = rectSrc->right - rectSrc->left; ++ const UINT32 nHeight = rectSrc->bottom - rectSrc->top; + + for (index = 0; index < surfaceToSurface->destPtsCount; index++) + { +@@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxClientContext* context, + if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height)) + goto fail; + ++ const UINT32 rwidth = rect.right - rect.left; ++ const UINT32 rheight = rect.bottom - rect.top; + if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline, +- destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data, ++ destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data, + surfaceSrc->format, surfaceSrc->scanline, rectSrc->left, + rectSrc->top, NULL, FREERDP_FLIP_NONE)) + goto fail; diff --git a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb index d4efcccdbd..dff3f6dafe 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.11.7.bb @@ -28,6 +28,7 @@ SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https file://CVE-2026-22855.patch \ file://CVE-2026-22852.patch \ file://CVE-2026-23530.patch \ + file://CVE-2026-23532.patch \ "
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124584): https://lists.openembedded.org/g/openembedded-devel/message/124584 Mute This Topic: https://lists.openembedded.org/mt/117979406/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
