From c5c2f2692ce05e6114e91d8e028742809119f996 Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Fri, 23 May 2025 11:24:13 +0800 Subject: [PATCH] fix CVE-2025-4478 --- backport-CVE-2025-4478.patch | 61 ++++++++++++++++++++++++++++++++++++ freerdp.spec | 6 +++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-4478.patch diff --git a/backport-CVE-2025-4478.patch b/backport-CVE-2025-4478.patch new file mode 100644 index 0000000..c37ed11 --- /dev/null +++ b/backport-CVE-2025-4478.patch @@ -0,0 +1,61 @@ +From a4bb702aa62e4fad91ca99142de075265555ec18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= +Date: Tue, 13 May 2025 10:34:08 +0200 +Subject: [PATCH] transport: Initialize function pointers after resource + allocation + +The transport instance is freed when an error occurs. +If the TransportDisconnect function pointer is initialized it +causes SIGSEGV during free. + +CVE: CVE-2025-4478 +--- + libfreerdp/core/transport.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c +index d199c31be4a5..2ca146f65133 100644 +--- a/libfreerdp/core/transport.c ++++ b/libfreerdp/core/transport.c +@@ -1646,20 +1646,6 @@ rdpTransport* transport_new(rdpContext* context) + if (!transport->log) + goto fail; + +- // transport->io.DataHandler = transport_data_handler; +- transport->io.TCPConnect = freerdp_tcp_default_connect; +- transport->io.TLSConnect = transport_default_connect_tls; +- transport->io.TLSAccept = transport_default_accept_tls; +- transport->io.TransportAttach = transport_default_attach; +- transport->io.TransportDisconnect = transport_default_disconnect; +- transport->io.ReadPdu = transport_default_read_pdu; +- transport->io.WritePdu = transport_default_write; +- transport->io.ReadBytes = transport_read_layer; +- transport->io.GetPublicKey = transport_default_get_public_key; +- transport->io.SetBlockingMode = transport_default_set_blocking_mode; +- transport->io.ConnectLayer = transport_default_connect_layer; +- transport->io.AttachLayer = transport_default_attach_layer; +- + transport->context = context; + transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE); + +@@ -1698,6 +1684,20 @@ rdpTransport* transport_new(rdpContext* context) + if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 4000)) + goto fail; + ++ // transport->io.DataHandler = transport_data_handler; ++ transport->io.TCPConnect = freerdp_tcp_default_connect; ++ transport->io.TLSConnect = transport_default_connect_tls; ++ transport->io.TLSAccept = transport_default_accept_tls; ++ transport->io.TransportAttach = transport_default_attach; ++ transport->io.TransportDisconnect = transport_default_disconnect; ++ transport->io.ReadPdu = transport_default_read_pdu; ++ transport->io.WritePdu = transport_default_write; ++ transport->io.ReadBytes = transport_read_layer; ++ transport->io.GetPublicKey = transport_default_get_public_key; ++ transport->io.SetBlockingMode = transport_default_set_blocking_mode; ++ transport->io.ConnectLayer = transport_default_connect_layer; ++ transport->io.AttachLayer = transport_default_attach_layer; ++ + return transport; + fail: + WINPR_PRAGMA_DIAG_PUSH diff --git a/freerdp.spec b/freerdp.spec index 376d969..a7faf15 100644 --- a/freerdp.spec +++ b/freerdp.spec @@ -1,12 +1,13 @@ Name: freerdp Version: 3.15.0 -Release: 1 +Release: 2 Epoch: 2 Summary: A Remote Desktop Protocol Implementation License: Apache-2.0 URL: https://www.freerdp.com Source0: https://pub.freerdp.com/releases/%{name}-%{version}.tar.xz +Patch6001: backport-CVE-2025-4478.patch BuildRequires: cmake >= 3.13 BuildRequires: ninja-build @@ -162,6 +163,9 @@ Development headers and libraries for freerdp-libwinpr. %{_mandir}/man?/* %changelog +* Fri May 23 2025 Funda Wang - 2:3.15.0-2 +- fix CVE-2025-4478 + * Mon Apr 21 2025 Funda Wang - 2:3.15.0-1 - update to 3.15.0 -- Gitee