Hi,I've cherry-picked the upstream commit as a patch and did a non-maintainer upload of it, the debdiff is attached.
Regards, Daniel
diff -Nru freerdp3-3.15.0+dfsg/debian/changelog freerdp3-3.15.0+dfsg/debian/changelog --- freerdp3-3.15.0+dfsg/debian/changelog 2025-04-24 09:18:41.000000000 +0000 +++ freerdp3-3.15.0+dfsg/debian/changelog 2025-05-26 12:38:19.000000000 +0000 @@ -1,3 +1,14 @@ +freerdp3 (3.15.0+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Cherry-picking patch from upstream: + - A flaw was found where a crafted RDP packet could trigger a segmentation + fault. This causes FreeRDP to crash and remain defunct, resulting in a + denial of service. Initializing function pointers in transport.c after + resource allocation fixes this [CVE-2025-4478] (Closes: #1105917). + + -- Daniel Baumann <[email protected]> Mon, 26 May 2025 14:38:19 +0200 + freerdp3 (3.15.0+dfsg-2) unstable; urgency=medium [ Bernhard Miklautz ] diff -Nru freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch --- freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch 1970-01-01 00:00:00.000000000 +0000 +++ freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch 2025-05-26 12:38:19.000000000 +0000 @@ -0,0 +1,61 @@ +From a4bb702aa62e4fad91ca99142de075265555ec18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20=C3=85dahl?= <[email protected]> +Date: Tue, 13 May 2025 10:34:08 +0200 +Subject: [PATCH] transport: Initialize function pointers after resource + allocation + +The transport instance is freed when an error occurs. +If the TransportDisconnect function pointer is initialized it +causes SIGSEGV during free. + +CVE: CVE-2025-4478 +--- + libfreerdp/core/transport.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c +index d199c31be4a5..2ca146f65133 100644 +--- a/libfreerdp/core/transport.c ++++ b/libfreerdp/core/transport.c +@@ -1646,20 +1646,6 @@ rdpTransport* transport_new(rdpContext* context) + if (!transport->log) + goto fail; + +- // transport->io.DataHandler = transport_data_handler; +- transport->io.TCPConnect = freerdp_tcp_default_connect; +- transport->io.TLSConnect = transport_default_connect_tls; +- transport->io.TLSAccept = transport_default_accept_tls; +- transport->io.TransportAttach = transport_default_attach; +- transport->io.TransportDisconnect = transport_default_disconnect; +- transport->io.ReadPdu = transport_default_read_pdu; +- transport->io.WritePdu = transport_default_write; +- transport->io.ReadBytes = transport_read_layer; +- transport->io.GetPublicKey = transport_default_get_public_key; +- transport->io.SetBlockingMode = transport_default_set_blocking_mode; +- transport->io.ConnectLayer = transport_default_connect_layer; +- transport->io.AttachLayer = transport_default_attach_layer; +- + transport->context = context; + transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE); + +@@ -1698,6 +1684,20 @@ rdpTransport* transport_new(rdpContext* context) + if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 4000)) + goto fail; + ++ // transport->io.DataHandler = transport_data_handler; ++ transport->io.TCPConnect = freerdp_tcp_default_connect; ++ transport->io.TLSConnect = transport_default_connect_tls; ++ transport->io.TLSAccept = transport_default_accept_tls; ++ transport->io.TransportAttach = transport_default_attach; ++ transport->io.TransportDisconnect = transport_default_disconnect; ++ transport->io.ReadPdu = transport_default_read_pdu; ++ transport->io.WritePdu = transport_default_write; ++ transport->io.ReadBytes = transport_read_layer; ++ transport->io.GetPublicKey = transport_default_get_public_key; ++ transport->io.SetBlockingMode = transport_default_set_blocking_mode; ++ transport->io.ConnectLayer = transport_default_connect_layer; ++ transport->io.AttachLayer = transport_default_attach_layer; ++ + return transport; + fail: + WINPR_PRAGMA_DIAG_PUSH diff -Nru freerdp3-3.15.0+dfsg/debian/patches/series freerdp3-3.15.0+dfsg/debian/patches/series --- freerdp3-3.15.0+dfsg/debian/patches/series 2025-04-24 09:00:49.000000000 +0000 +++ freerdp3-3.15.0+dfsg/debian/patches/series 2025-05-26 12:32:22.000000000 +0000 @@ -9,3 +9,4 @@ winpr-sysinfo-use-a-single-clock-to-provide-System-a.patch fix-resources-remove-MimeType-from-desktop-file.patch gcc-fix-server-side-connection-with-multiple-monitor.patch +CVE-2025-4478.patch
