-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Mar 2026 20:59:33 +0300
Source: freerdp3
Architecture: source
Version: 3.15.0+dfsg-2.1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1112191 1121299
Changes:
 freerdp3 (3.15.0+dfsg-2.1+deb13u1) trixie; urgency=medium
 .
   * two patches from upstream (from 3.16) (Closes: #1112191):
     core-redirection-Ensure-stream-has-space-for-cert.patch
     core-redirection-Ensure-stream-has-space-for-all-params.patch
   * client-x11-fix-clipboard-issues.patch (Closes: #1121299)
   * client-desktop-fix-StartupWMClass-setting.patch:
     restore x11 desktop icon for xfreerdp3
   * d/patches/README: remove obsolete file
 .
   * security fixes for client from 3.20.1 (medium):
 .
     CVE-2026-22851: RDPGFX ResetGraphics race leads to use after free
       in SDL3 client (sdl->primary)
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8g87-6pvc-wh99
       client-sdl-lock-primary-while-used-CVE-2026-22851.patch
     CVE-2026-22852: Heap buffer overflow in audin_process_formats
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9chc-g79v-4qq4
       channels-audin-free-up-old-audio-formats-CVE-2026-22852.patch
     CVE-2026-22853: Heap buffer overflow in ndr_read_uint8Array
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47v9-p4gp-w5ch
       channels-rdpear-add-checks-for-itemSize-CVE-2026-22853.patch
     CVE-2026-22854: Heap buffer overflow in drive_process_irp_read
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf
       channels-drive-fix-constant-type-CVE-2026-22854.patch
     CVE-2026-22855: Heap buffer overflow in smartcard_unpack_set_attrib_call
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rwp3-g84r-6mx9
       utils-smartcard-add-length-validity-checks-CVE-2026-22855.patch
       also pick:
         utils-smartcard-handle-output-buffer-too-small.patch
         utils-smartcard-improve-trace-log.patch
         utils-smartcard-better-logging-and-error-checks.patch
     CVE-2026-22856: Heap use after free in create_irp_thread
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-w842-c386-fxhv
       channels-serial-explicitly-lock-serial-IrpThreads-CVE-2026-22856.patch
     CVE-2026-22857: Heap use after free in irp_thread_func
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4gxq-jhq6-4cr8
       channels-serial-fix-use-after-free-CVE-2026-22857.patch
     CVE-2026-22858: Global buffer overflow in crypto_base64_decode
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qmqf-m84q-x896
       (this also affects freerdp proxy, not just client)
       crypto-base64-do-proper-length-checks-CVE-2026-22858.patch
       also pick:
         crypto-base64-ensure-char-is-singend.patch
     CVE-2026-22859: Heap buffer overflow in urb_select_configuration
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-56f5-76qv-2r36
       channels-urbdrc-check-interface-indices-before-use-CVE-2026-22859.patch
 .
   * security fixes for client from 3.21 (medium):
 .
     CVE-2026-23530: Heap buffer overflow in planar_decompress_plane_rle
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p
       codec-planar-fix-decoder-length-checks-CVE-2026-23530.patch
     CVE-2026-23531: Heap buffer overflow in clear_decompress
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5
       codec-clear-fix-missing-length-checks-CVE-2026-23531.patch
     CVE-2026-23532: Heap buffer overflow in gdi_SurfaceToSurface
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr
       gdi-gfx-properly-clamp-SurfaceToSurface-CVE-2026-23532.patch
     CVE-2026-23533: Heap buffer overflow in clear_decompress_residual_data
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v
       codec-clear-fix-clear_resize_buffer-checks-CVE-2026-23533.patch
     CVE-2026-23534: Heap buffer overflow in clear_decompress_bands_data
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599
       codec-clear-fix-off-by-one-length-check-CVE-2026-23534.patch
     CVE-2026-23732: Heap buffer overflow in Glyph_Alloc
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp
       codec-color-add-freerdp_glyph_convert_ex-CVE-2026-23732.patch
       gdi-graphics-Use-freerdp_glyph_convert_ex-CVE-2026-23732.patch
     CVE-2026-23883: Heap use after free in update_pointer_new
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x
       client-x11-fix-double-free-in-case-of-invalid-pointe-CVE-2026-23883.patch
     CVE-2026-23884: Heap use after free in gdi_set_bounds
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp
       cache-offscreen-invalidate-bitmap-before-free-CVE-2026-23884.patch
 .
   * security fixes for client from 3.22 (medium):
 .
     CVE-2026-23948: NULL Pointer Dereference in rdp_write_logon_info_v2()
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6f3c-qvqq-2px5
       core-info-fix-missing-NULL-check-CVE-2026-23948.patch
     CVE-2026-24491: Heap-use-after-free in video_timer
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4x6j-w49r-869g
       channels-drdynvc-reset-channel_callback-before-close-CVE-2026-24491.patch
       also pick:
         clang-warnings-fix-Wjump-misses-init-drdynvc_main.patch
         channels-drdynvc-check-pointer-before-reset.patch (fixup on top)
     CVE-2026-24675: Heap-use-after-free in urb_select_interface
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-x9jr-99h2-g7mj
       channels-urbdrc-do-not-free-MsConfig-on-failure-CVE-2026-24491.patch
     CVE-2026-24676: Heap-use-after-free in audio_format_compatible
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qh5p-frq4-pgxj
       channels-audin-reset-audin-format-CVE-2026-24676.patch
     CVE-2026-24677: Heap-buffer-overflow in ecam_encoder_compress_h264
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xw37-j744-f8v7
       channels-rdpecam-ensure-sws-context-size-matches-CVE-2026-24677.patch
       also pick:
         clang-warnings-fix-Wjump-misses-init-remdesk_main.patch
         channels-rdpecam-improve-log-messages.patch
         rdpecam-fix-camera-sample-grabbing.patch
         channels-rpdecam-log-dropped-samples.patch
       fix-camera-sample-grabbing is a separate bugfix, but it also
       removes the need to back-port the main fix to 3.15
     CVE-2026-24678: Heap-use-after-free in cam_v4l_stream_capture_thread
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6gvg-29wx-6v7h
       channels-rdpecam-ensure-all-streams-are-stopped-CVE-2026-24678.patch
     CVE-2026-24679: Heap-buffer-overflow in urb_select_interface
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-2jp4-67x6-gv7x
       channels-urbdrc-ensure-InterfaceNumber-is-within-ran-CVE-2026-24679.patch
     CVE-2026-24680: Heap-use-after-free in update_pointer_new(SDL)
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-j893-9wg8-33rc
       client-sdl-reset-pointer-after-memory-release-CVE-2026-24680.patch
     CVE-2026-24681: Heap-use-after-free in urb_bulk_transfer_cb
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-ccvv-hg2w-6x9j
       channels-urbdrc-cancel-all-usb-transfers-on-channel--CVE-2026-24681.patch
     CVE-2026-24682: Heap-buffer-overflow in audio_formats_free
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vcw2-pqgw-mx6g
       channels-audin-fix-audin_server_recv_formats-cleanup-CVE-2026-24682.patch
     CVE-2026-24683: Heap-use-after-free in ainput_send_input_event
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-45pf-68pj-fg8q
       channels-ainput-lock-context-when-updating-listener-CVE-2026-24683.patch
     CVE-2026-24684: Heap-use-after-free in play_thread
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vcgv-xgjp-h83q
       channel-rdpsnd-only-clean-up-thread-before-free-CVE-2026-24684.patch
       channels-rdpsnd-terminate-thread-before-free-CVE-2026-24684.patch
 .
   * security fixes for client from 3.23 (medium):
 .
     CVE-2026-25941 Out-of-bounds read in rdpgfx_recv_wire_to_surface_2_pdu
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8
       channels-rdpgfx-check-available-stream-length-CVE-2026-25941.patch
     CVE-2026-25942 Global-buffer-overflow in xf_rail_server_execute_result
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6
       client-x11-stringfiy-functions-for-RAILS-CVE-2026-25942.patch
     CVE-2026-25952 CVE-2026-25953 CVE-2026-25954
       Heap-use-after-free in xf_SetWindowMinMaxInfo
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqm-cwjg-7w9x
       Heap-use-after-free in xf_AppUpdateWindowFromSurface (freed appWindow)
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p6rq-rxpc-rh3p
       Heap-use-after-free in xf_rail_server_local_move_size
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cc88-4j37-mw6j
       client-x11-lock-appWindow-CVE-2026-25952-CVE-2026-25953-CVE-2026-25954.patch
     CVE-2026-25955 Heap-use-after-free in xf_AppUpdateWindowFromSurface
       (stale XImage)
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4g54-x8v7-559x
       client-x11-destroy-XImage-on-window-unmap-CVE-2026-25955.patch
       (also client-x11-fix-missing-includes.patch)
     CVE-2026-25959 Heap-use-after-free in xf_cliprdr_provide_data_
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78xg-v4p2-4w3c
       client-x11-lock-cache-when-providing-data-CVE-2026-25959.patch
     CVE-2026-25997 Heap-use-after-free in xf_clipboard_format_equal
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5j3-m6jf-3jq4
       client-X11-fix-clipboard-update-CVE-2026-25997.patch
     CVE-2026-26271 Buffer Overread in FreeRDP Icon Processing
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hr4m-ph4g-48j6
       codec-color-fix-input-length-checks-CVE-2026-26271.patch
     CVE-2026-26986 Heap-use-after-free in rail_window_free
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-crqx-g6x5-rx47
       client-x11-fix-xf_rail_window_common-cleanup-CVE-2026-26986.patch
     CVE-2026-27015 Smartcard NDR Alignment Padding Triggers Reachable
       WINPR_ASSERT Abort (Client DoS)
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7g72-39pq-4725
       utils-smartcard-check-stream-length-on-padding-CVE-2026-27015.patch
     CVE-2026-26955 Heap Out-of-Bounds Write in ClearCodec Surface Command
       Handler via Missing Bounds Validation
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mr6w-ch7c-mqqj
       codec-clear-fix-missing-destination-boundary-checks.patch
       codec-clear-fix-destination-checks-CVE-2026-26955.patch
     CVE-2026-26965 Heap Out-of-Bounds Write in Planar Bitmap RLE Decompression
       via Destination Offset
       https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5vgf-mw4f-r33h
       codec-planar-fix-missing-destination-bounds-checks-CVE-2026-26965.patch
 .
   * These fixes introduces symbols into libfreerdp3, which don't exist in
     versions before 3.21.0, - add them to this version with a virtual package
     libfreerdp3-partial-api-3-21, with an alternative Depends field:
        libfreerdp3-partial-api-3-21 | libfreerdp3-3 (>>3.21.0)
     so apt dependency solver does the right thing for users of these symbols.
     This virtual package (libfreerdp3-partial-api-3-21) exists in trixie only.
 .
   * additional 4 upstream patches fixing a range of issues in rdpecam
 .
     winpr-wlog-Add-specialized-text-log-functions.patch -
      preparational (two new log functions, libwinpr3-partial-api-3-17)
     warnings-Fix-format-string-errors-partial.patch -
      printf string fixes in existing code after the above patch
      (partial, only hunks which applies cleanly are kept,
      no attempt to back-port other hunks)
     channels-rdpecam-add-value-range-checks.patch -
      missing range checking in rdpecam code
     channels-rdpecam-fix-PROPERTY_DESCRIPTION-parsing.patch -
      additional fix for CVE-2026-24677 fix
 .
   * CVE-2025-4478.patch: add DEP-3 headers
Checksums-Sha1:
 9fa94d8017a088cda53f00b698e0415aaa5bf3c3 4245 freerdp3_3.15.0+dfsg-2.1+deb13u1.dsc
 3db22e0c3b1880ed6aec96801e87ee82fdedd1cf 124844 freerdp3_3.15.0+dfsg-2.1+deb13u1.debian.tar.xz
 7c27f57e5fe3b84adace29c36e3700023c5cf5d6 10664 freerdp3_3.15.0+dfsg-2.1+deb13u1_source.buildinfo
Checksums-Sha256:
 0fa6c714527cc967b69ed0ede2d45c1ce672b5cdccc7151af281d77dad67082c 4245 freerdp3_3.15.0+dfsg-2.1+deb13u1.dsc
 4665ab0f24d05d071a53dc4f90cc9ab1e9465cfebfdeab8e00f7e16cc5f493f4 124844 freerdp3_3.15.0+dfsg-2.1+deb13u1.debian.tar.xz
 dc51a0f7d4b534454f8a11b71f498bc15cc7da6ca9799384516c083a9976fbee 10664 freerdp3_3.15.0+dfsg-2.1+deb13u1_source.buildinfo
Files:
 fd9b49e980de3d4a31c59cef7de4cdaf 4245 x11 optional freerdp3_3.15.0+dfsg-2.1+deb13u1.dsc
 60b8c7586d5a0ac2192d77f5a2e24561 124844 x11 optional freerdp3_3.15.0+dfsg-2.1+deb13u1.debian.tar.xz
 1eaaa57098936ba2f4c5b6bb6e4bbde8 10664 x11 optional freerdp3_3.15.0+dfsg-2.1+deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpyBcRCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcWQgP5IaQQ+P90z5Zq2cCpHKCVj0gJcs1b97QOa0ab
7RYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AAAnMw/+IEg3IbBKAKWl4hd5JjYvGuDw
HNa/0sh0n0gyLJH6jQZsAFES4g/yP6+X6EdK37VUYFVrK3eE8YGLGLJa8jPIMmTc
nw20F87baVIyrwAEbammOg/OG9QJOOdtHQ14lhBOZRjPzFCaVcQ5OSYwqx2w4J1x
JjFDNDbQxwHPUR2he9nMcMo4n/xG1Nn/1igLvZt2IgJp2uQ1oIKMieWvxgloGuKE
Ob8+V3XVH1nHc97BdCp9hwf81Z11SovRmBFpiBujxVWaBPzYdKXXG6cluR6D9m8v
XD4KpbcXo6tgKvgBDTOfnOTQZGr4oE+iq5rOcdkUESLopekUqXig8N9jR9gHky1B
Txnf2Y/xNwefpdE/467i8S/aJE3SNT4CF20p3NsV8rVnwtkAFbjFgtWUOX5jlmNw
uNpbit9Zy8uYGtrDEzSJa4DDX/bmfwNg8uo+j7XYw0UD4g0GOnwuxafy8DM4InMB
61T7qclc3BsxszK3q5ENoZ3xRSFcPPMCyO+5urqW7jxlw/Jh1R12XqPX5WBqqGDI
/kDt01IkfnAZ5JQGvOUEp75i3WZYC3mlkcE85x/GBXzV4c5xQL0m3qrqNJJpDZYr
Fiw5AcAfifWBAELP/FRplsCVOkZVtZ8zVRDdDd8n/RpqUYVOPoAqfFC4MWMLOePD
DIZLbajyrWoyqRFKmpw=
=l8v9
-----END PGP SIGNATURE-----