From 26f384cd784ff523b2d70eb40edf56ec75e431bf Mon Sep 17 00:00:00 2001 From: dillon_chen Date: Wed, 8 Nov 2023 18:08:06 +0800 Subject: [PATCH] fix CVE-2023-40661 (cherry picked from commit d12aec18ec9df597ac79a4ce38d8438a1144e0b3) (cherry picked from commit 255765d8527bfca0b947c048e822095113aee2af) --- 0007-opensc-CVE-2023-40661-1of12.patch | 23 ++ 0008-opensc-CVE-2023-40661-2of12.patch | 25 ++ 0009-opensc-CVE-2023-40661-3of12.patch | 37 +++ 0010-opensc-CVE-2023-40661-4of12.patch | 396 ++++++++++++++++++++++++ 0011-opensc-CVE-2023-40661-5of12.patch | 61 ++++ 0012-opensc-CVE-2023-40661-6of12.patch | 25 ++ 0013-opensc-CVE-2023-40661-7of12.patch | 27 ++ 0014-opensc-CVE-2023-40661-8of12.patch | 29 ++ 0015-opensc-CVE-2023-40661-9of12.patch | 27 ++ 0016-opensc-CVE-2023-40661-10of12.patch | 25 ++ 0017-opensc-CVE-2023-40661-11of12.patch | 38 +++ 0018-opensc-CVE-2023-40661-12of12.patch | 26 ++ opensc.spec | 17 +- 13 files changed, 755 insertions(+), 1 deletion(-) create mode 100644 0007-opensc-CVE-2023-40661-1of12.patch create mode 100644 0008-opensc-CVE-2023-40661-2of12.patch create mode 100644 0009-opensc-CVE-2023-40661-3of12.patch create mode 100644 0010-opensc-CVE-2023-40661-4of12.patch create mode 100644 0011-opensc-CVE-2023-40661-5of12.patch create mode 100644 0012-opensc-CVE-2023-40661-6of12.patch create mode 100644 0013-opensc-CVE-2023-40661-7of12.patch create mode 100644 0014-opensc-CVE-2023-40661-8of12.patch create mode 100644 0015-opensc-CVE-2023-40661-9of12.patch create mode 100644 0016-opensc-CVE-2023-40661-10of12.patch create mode 100644 0017-opensc-CVE-2023-40661-11of12.patch create mode 100644 0018-opensc-CVE-2023-40661-12of12.patch diff --git a/0007-opensc-CVE-2023-40661-1of12.patch b/0007-opensc-CVE-2023-40661-1of12.patch new file mode 100644 index 0000000..57ea030 --- /dev/null +++ b/0007-opensc-CVE-2023-40661-1of12.patch @@ -0,0 +1,23 @@ +From 578aed8391ef117ca64a9e0cba8e5c264368a0ec Mon Sep 17 00:00:00 2001 +From: Frank Morgner +Date: Thu, 8 Dec 2022 00:27:18 +0100 +Subject: [PATCH] sc_pkcs15init_rmdir: prevent out of bounds write + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 +--- + src/pkcs15init/pkcs15-lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index 91cee37310..3df03c6e1f 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -685,6 +685,8 @@ sc_pkcs15init_rmdir(struct sc_pkcs15_card *p15card, struct sc_profile *profile, + + path = df->path; + path.len += 2; ++ if (path.len > SC_MAX_PATH_SIZE) ++ return SC_ERROR_INTERNAL; + + nfids = r / 2; + while (r >= 0 && nfids--) { diff --git a/0008-opensc-CVE-2023-40661-2of12.patch b/0008-opensc-CVE-2023-40661-2of12.patch new file mode 100644 index 0000000..f28efba --- /dev/null +++ b/0008-opensc-CVE-2023-40661-2of12.patch @@ -0,0 +1,25 @@ +From df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 Mon Sep 17 00:00:00 2001 +From: Veronika Hanulikova +Date: Fri, 10 Feb 2023 11:47:34 +0100 +Subject: [PATCH] Check array bounds + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 +--- + src/libopensc/muscle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c +index 61a4ec24d8..9d01e0c113 100644 +--- a/src/libopensc/muscle.c ++++ b/src/libopensc/muscle.c +@@ -181,6 +181,9 @@ int msc_partial_update_object(sc_card_t *card, msc_id objectId, int offset, cons + sc_apdu_t apdu; + int r; + ++ if (dataLength + 9 > MSC_MAX_APDU) ++ return SC_ERROR_INVALID_ARGUMENTS; ++ + sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00); + apdu.lc = dataLength + 9; + if (card->ctx->debug >= 2) diff --git a/0009-opensc-CVE-2023-40661-3of12.patch b/0009-opensc-CVE-2023-40661-3of12.patch new file mode 100644 index 0000000..e0e4e1f --- /dev/null +++ b/0009-opensc-CVE-2023-40661-3of12.patch @@ -0,0 +1,37 @@ +From 5631e9843c832a99769def85b7b9b68b4e3e3959 Mon Sep 17 00:00:00 2001 +From: Veronika Hanulikova +Date: Fri, 3 Mar 2023 16:07:38 +0100 +Subject: [PATCH] Check length of string before making copy + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 +--- + src/pkcs15init/profile.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c +index 2b793b0282..3bad1e8536 100644 +--- a/src/pkcs15init/profile.c ++++ b/src/pkcs15init/profile.c +@@ -1575,7 +1575,10 @@ do_acl(struct state *cur, int argc, char **argv) + while (argc--) { + unsigned int op, method, id; + ++ if (strlen(*argv) >= sizeof(oper)) ++ goto bad; + strlcpy(oper, *argv++, sizeof(oper)); ++ + if ((what = strchr(oper, '=')) == NULL) + goto bad; + *what++ = '\0'; +@@ -2288,6 +2291,9 @@ get_authid(struct state *cur, const char *value, + return get_uint(cur, value, type); + } + ++ if (strlen(value) >= sizeof(temp)) ++ return 1; ++ + n = strcspn(value, "0123456789x"); + strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp)); + diff --git a/0010-opensc-CVE-2023-40661-4of12.patch b/0010-opensc-CVE-2023-40661-4of12.patch new file mode 100644 index 0000000..31ad565 --- /dev/null +++ b/0010-opensc-CVE-2023-40661-4of12.patch @@ -0,0 +1,396 @@ +From aadd82bb071e574fc57263a103e3bf06ebbd8de7 Mon Sep 17 00:00:00 2001 +From: "Ingo Struck (git commits)" +Date: Sat, 21 Jan 2023 22:15:10 +0100 +Subject: [PATCH] Handle reader limits for SC Card unwrap operations + +Fixes #2514 +--- + src/libopensc/card-sc-hsm.c | 181 ++++++++++++++----------- + src/libopensc/reader-pcsc.c | 91 ++++++++----- + src/tests/fuzzing/fuzz_pkcs15_decode.c | 3 +- + src/tests/fuzzing/fuzz_pkcs15_encode.c | 2 +- + 4 files changed, 159 insertions(+), 118 deletions(-) + +diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c +index 60d5895127..1b707f08df 100644 +--- a/src/libopensc/card-sc-hsm.c ++++ b/src/libopensc/card-sc-hsm.c +@@ -145,9 +145,7 @@ static int sc_hsm_select_file_ex(sc_card_t *card, + + if (file_out == NULL) { // Versions before 0.16 of the SmartCard-HSM do not support P2='0C' + rv = sc_hsm_select_file_ex(card, in_path, forceselect, &file); +- if (file != NULL) { +- sc_file_free(file); +- } ++ sc_file_free(file); + return rv; + } + +@@ -181,9 +179,7 @@ static int sc_hsm_select_file_ex(sc_card_t *card, + LOG_TEST_RET(card->ctx, rv, "Could not select SmartCard-HSM application"); + + if (priv) { +- if (priv->dffcp != NULL) { +- sc_file_free(priv->dffcp); +- } ++ sc_file_free(priv->dffcp); + // Cache the FCP returned when selecting the applet + sc_file_dup(&priv->dffcp, *file_out); + } +@@ -730,12 +726,12 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, + u8 recvbuf[SC_MAX_APDU_BUFFER_SIZE]; + #ifdef ENABLE_SM + if (card->sm_ctx.sm_mode != SM_MODE_TRANSMIT) { +- sc_log(card->ctx, ++ sc_log(card->ctx, + "Session PIN generation only supported in SM"); + LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); + } + #else +- sc_log(card->ctx, ++ sc_log(card->ctx, + "Session PIN generation only supported in SM"); + LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); + #endif +@@ -746,7 +742,7 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, + apdu.le = 0; + if (sc_transmit_apdu(card, &apdu) != SC_SUCCESS + || sc_check_sw(card, apdu.sw1, apdu.sw2) != SC_SUCCESS) { +- sc_log(card->ctx, ++ sc_log(card->ctx, + "Generating session PIN failed"); + LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); + } +@@ -756,12 +752,12 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, + apdu.resplen); + data->pin2.len = apdu.resplen; + } else { +- sc_log(card->ctx, ++ sc_log(card->ctx, + "Buffer too small for session PIN"); + } + } + } else { +- sc_log(card->ctx, ++ sc_log(card->ctx, + "Session PIN not supported for this PIN (0x%02X)", + data->pin_reference); + } +@@ -848,47 +844,61 @@ static int sc_hsm_write_ef(sc_card_t *card, + LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY); + } + +- p = cmdbuff; +- *p++ = 0x54; +- *p++ = 0x02; +- *p++ = (idx >> 8) & 0xFF; +- *p++ = idx & 0xFF; +- *p++ = 0x53; +- if (count < 128) { +- *p++ = (u8) count; +- len = 6; +- } else if (count < 256) { +- *p++ = 0x81; +- *p++ = (u8) count; +- len = 7; +- } else { +- *p++ = 0x82; +- *p++ = (count >> 8) & 0xFF; +- *p++ = count & 0xFF; +- len = 8; +- } ++ size_t bytes_left = count; ++ // 8 bytes are required for T54(4) and T53(4) ++ size_t blk_size = card->max_send_size - 8; ++ size_t to_send = 0; ++ size_t offset = (size_t) idx; ++ do { ++ len = 0; ++ to_send = bytes_left >= blk_size ? blk_size : bytes_left; ++ p = cmdbuff; ++ // ASN1 0x54 offset ++ *p++ = 0x54; ++ *p++ = 0x02; ++ *p++ = (offset >> 8) & 0xFF; ++ *p++ = offset & 0xFF; ++ // ASN1 0x53 to_send ++ *p++ = 0x53; ++ if (to_send < 128) { ++ *p++ = (u8)to_send; ++ len = 6; ++ } else if (to_send < 256) { ++ *p++ = 0x81; ++ *p++ = (u8)to_send; ++ len = 7; ++ } else { ++ *p++ = 0x82; ++ *p++ = (to_send >> 8) & 0xFF; ++ *p++ = to_send & 0xFF; ++ len = 8; ++ } + +- if (buf != NULL) +- memcpy(p, buf, count); +- len += count; ++ if (buf != NULL) ++ memcpy(p, buf+offset, to_send); ++ len += to_send; + +- sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xD7, fid >> 8, fid & 0xFF); +- apdu.data = cmdbuff; +- apdu.datalen = len; +- apdu.lc = len; ++ sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xD7, fid >> 8, fid & 0xFF); ++ apdu.data = cmdbuff; ++ apdu.datalen = len; ++ apdu.lc = len; + +- r = sc_transmit_apdu(card, &apdu); +- free(cmdbuff); +- LOG_TEST_RET(ctx, r, "APDU transmit failed"); ++ r = sc_transmit_apdu(card, &apdu); ++ LOG_TEST_GOTO_ERR(ctx, r, "APDU transmit failed"); ++ r = sc_check_sw(card, apdu.sw1, apdu.sw2); ++ LOG_TEST_GOTO_ERR(ctx, r, "Check SW error"); + +- r = sc_check_sw(card, apdu.sw1, apdu.sw2); +- LOG_TEST_RET(ctx, r, "Check SW error"); ++ bytes_left -= to_send; ++ offset += to_send; ++ } while (0 < bytes_left); ++ ++err: ++ free(cmdbuff); + + LOG_FUNC_RETURN(ctx, count); + } + + +- + static int sc_hsm_update_binary(sc_card_t *card, + unsigned int idx, const u8 *buf, size_t count, + unsigned long flags) +@@ -1227,7 +1237,7 @@ static int sc_hsm_initialize(sc_card_t *card, sc_cardctl_sc_hsm_init_param_t *pa + return SC_ERROR_INVALID_ARGUMENTS; + } + *p++ = 0x81; // User PIN +- *p++ = (u8) params->user_pin_len; ++ *p++ = (u8)params->user_pin_len; + memcpy(p, params->user_pin, params->user_pin_len); + p += params->user_pin_len; + +@@ -1400,12 +1410,11 @@ static int sc_hsm_unwrap_key(sc_card_t *card, sc_cardctl_sc_hsm_wrapped_key_t *p + + LOG_FUNC_CALLED(card->ctx); + +- sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT, 0x74, params->key_id, 0x93); +- apdu.cla = 0x80; +- apdu.lc = params->wrapped_key_length; +- apdu.data = params->wrapped_key; +- apdu.datalen = params->wrapped_key_length; ++ r = sc_hsm_write_ef(card, 0x2F10, 0, params->wrapped_key, params->wrapped_key_length); ++ LOG_TEST_RET(card->ctx, r, "Create EF failed"); + ++ sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x74, params->key_id, 0x93); ++ apdu.cla = 0x80; + r = sc_transmit_apdu(card, &apdu); + LOG_TEST_RET(ctx, r, "APDU transmit failed"); + +@@ -1765,17 +1774,10 @@ static int sc_hsm_init(struct sc_card *card) + int flags,ext_flags; + sc_file_t *file = NULL; + sc_path_t path; +- sc_hsm_private_data_t *priv = card->drv_data; ++ sc_hsm_private_data_t *priv = NULL; + + LOG_FUNC_CALLED(card->ctx); + +- if (!priv) { +- priv = calloc(1, sizeof(sc_hsm_private_data_t)); +- if (!priv) +- LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY); +- card->drv_data = priv; +- } +- + flags = SC_ALGORITHM_RSA_RAW|SC_ALGORITHM_RSA_PAD_PSS|SC_ALGORITHM_ONBOARD_KEY_GEN; + + _sc_card_add_rsa_alg(card, 1024, flags, 0); +@@ -1807,6 +1809,46 @@ static int sc_hsm_init(struct sc_card *card) + + card->caps |= SC_CARD_CAP_RNG|SC_CARD_CAP_APDU_EXT|SC_CARD_CAP_ISO7816_PIN_INFO; + ++ // APDU Buffer limits ++ // JCOP 2.4.1r3 1462 ++ // JCOP 2.4.2r3 1454 ++ // JCOP 3 1232 ++ // MicroSD with JCOP 3 478 / 506 - handled in reader-pcsc.c ++ // Reiner SCT 1014 - handled in reader-pcsc.c ++ ++ // Use JCOP 3 card limits for sending ++ card->max_send_size = 1232; ++ // Assume that card supports sending with extended length APDU and without limit ++ card->max_recv_size = 0; ++ ++ if (card->type == SC_CARD_TYPE_SC_HSM_SOC ++ || card->type == SC_CARD_TYPE_SC_HSM_GOID) { ++ card->max_recv_size = 0x0630; // SoC Proxy forces this limit ++ } else { ++ // Adjust to the limits set by the reader ++ if (card->reader->max_send_size < card->max_send_size) { ++ if (18 >= card->reader->max_send_size) ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INCONSISTENT_CONFIGURATION); ++ ++ // 17 byte header and TLV because of odd ins in UPDATE BINARY ++ card->max_send_size = card->reader->max_send_size - 17; ++ } ++ ++ if (0 < card->reader->max_recv_size) { ++ if (3 >= card->reader->max_recv_size) ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INCONSISTENT_CONFIGURATION); ++ card->max_recv_size = card->reader->max_recv_size - 2; ++ } ++ } ++ ++ priv = card->drv_data; ++ if (!priv) { ++ priv = calloc(1, sizeof(sc_hsm_private_data_t)); ++ if (!priv) ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY); ++ card->drv_data = priv; ++ } ++ + sc_path_set(&path, SC_PATH_TYPE_DF_NAME, sc_hsm_aid.value, sc_hsm_aid.len, 0, 0); + if (sc_hsm_select_file_ex(card, &path, 0, &file) == SC_SUCCESS + && file && file->prop_attr && file->prop_attr_len >= 2) { +@@ -1839,25 +1881,6 @@ static int sc_hsm_init(struct sc_card *card) + } + sc_file_free(file); + +- // APDU Buffer limits +- // JCOP 2.4.1r3 1462 +- // JCOP 2.4.2r3 1454 +- // JCOP 3 1232 +- // MicroSD with JCOP 3 478 / 506 +- // Reiner SCT 1014 +- +- card->max_send_size = 1232 - 17; // 1232 buffer size - 17 byte header and TLV because of odd ins in UPDATE BINARY +- +- if (!strncmp("Secure Flash Card", card->reader->name, 17)) { +- card->max_send_size = 478 - 17; +- card->max_recv_size = 506 - 2; +- } else if (card->type == SC_CARD_TYPE_SC_HSM_SOC +- || card->type == SC_CARD_TYPE_SC_HSM_GOID) { +- card->max_recv_size = 0x0630; // SoC Proxy forces this limit +- } else { +- card->max_recv_size = 0; // Card supports sending with extended length APDU and without limit +- } +- + priv->EF_C_DevAut = NULL; + priv->EF_C_DevAut_len = 0; + +@@ -1883,13 +1906,11 @@ static int sc_hsm_finish(sc_card_t * card) + #ifdef ENABLE_SM + sc_sm_stop(card); + #endif +- if (priv->serialno) { ++ if (priv) { + free(priv->serialno); +- } +- if (priv->dffcp) { + sc_file_free(priv->dffcp); ++ free(priv->EF_C_DevAut); + } +- free(priv->EF_C_DevAut); + free(priv); + + return SC_SUCCESS; +diff --git a/src/libopensc/reader-pcsc.c b/src/libopensc/reader-pcsc.c +index 40bfd293d3..04d5ac8fdd 100644 +--- a/src/libopensc/reader-pcsc.c ++++ b/src/libopensc/reader-pcsc.c +@@ -311,7 +311,7 @@ static int pcsc_transmit(sc_reader_t *reader, sc_apdu_t *apdu) + * The buffer for the returned data needs to be at least 2 bytes + * larger than the expected data length to store SW1 and SW2. */ + rsize = rbuflen = apdu->resplen <= 256 ? 258 : apdu->resplen + 2; +- rbuf = malloc(rbuflen); ++ rbuf = malloc(rbuflen); + if (rbuf == NULL) { + r = SC_ERROR_OUT_OF_MEMORY; + goto out; +@@ -424,7 +424,7 @@ static int refresh_attributes(sc_reader_t *reader) + if (priv->reader_state.cbAtr > SC_MAX_ATR_SIZE) + return SC_ERROR_INTERNAL; + +- /* Some cards have a different cold (after a powerup) and warm (after a reset) ATR */ ++ /* Some cards have a different cold (after a powerup) and warm (after a reset) ATR */ + if (memcmp(priv->reader_state.rgbAtr, reader->atr.value, priv->reader_state.cbAtr) != 0) { + reader->atr.len = priv->reader_state.cbAtr; + memcpy(reader->atr.value, priv->reader_state.rgbAtr, reader->atr.len); +@@ -556,7 +556,7 @@ static int pcsc_reconnect(sc_reader_t * reader, DWORD action) + priv->gpriv->connect_exclusive ? SCARD_SHARE_EXCLUSIVE : SCARD_SHARE_SHARED, + protocol, action, &active_proto); + +- ++ + PCSC_TRACE(reader, "SCardReconnect returned", rv); + if (rv != SCARD_S_SUCCESS) { + PCSC_TRACE(reader, "SCardReconnect failed", rv); +@@ -593,7 +593,7 @@ static void initialize_uid(sc_reader_t *reader) + sc_log_hex(reader->ctx, "UID", + reader->uid.value, reader->uid.len); + } else { +- sc_log(reader->ctx, "unable to get UID"); ++ sc_log(reader->ctx, "unable to get UID"); + } + } + } +@@ -1240,11 +1240,11 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle) + sc_log(ctx, "Reader has a display: %04X", caps->wLcdLayout); + reader->capabilities |= SC_READER_CAP_DISPLAY; + } +- else { ++ else { + sc_log(ctx, "Reader does not have a display."); + } + } +- else { ++ else { + sc_log(ctx, + "Returned PIN properties structure has bad length (%lu/%"SC_FORMAT_LEN_SIZE_T"u)", + (unsigned long)rcount, +@@ -1304,7 +1325,7 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle) + } + + rcount = sizeof i; +- if(gpriv->SCardGetAttrib(card_handle, SCARD_ATTR_VENDOR_IFD_VERSION, ++ if (gpriv->SCardGetAttrib(card_handle, SCARD_ATTR_VENDOR_IFD_VERSION, + (u8 *) &i, &rcount) == SCARD_S_SUCCESS + && rcount == sizeof i) { + reader->version_major = (i >> 24) & 0xFF; +@@ -1314,7 +1335,7 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle) + } + + int pcsc_add_reader(sc_context_t *ctx, +- char *reader_name, size_t reader_name_len, ++ char *reader_name, size_t reader_name_len, + sc_reader_t **out_reader) + { + int ret = SC_ERROR_INTERNAL; +@@ -1574,7 +1595,7 @@ static int pcsc_wait_for_event(sc_context_t *ctx, unsigned int event_mask, sc_re + + LOG_FUNC_CALLED(ctx); + +- if (!event_reader && !event && reader_states) { ++ if (!event_reader && !event && reader_states) { + sc_log(ctx, "free allocated reader states"); + free(*reader_states); + *reader_states = NULL; +@@ -1958,7 +1979,7 @@ static int part10_build_modify_pin_block(struct sc_reader *reader, u8 * buf, siz + sc_apdu_t *apdu = data->apdu; + u8 tmp; + unsigned int tmp16; +- PIN_MODIFY_STRUCTURE *pin_modify = (PIN_MODIFY_STRUCTURE *)buf; ++ PIN_MODIFY_STRUCTURE *pin_modify = (PIN_MODIFY_STRUCTURE *)buf; + struct sc_pin_cmd_pin *pin_ref = + data->flags & SC_PIN_CMD_IMPLICIT_CHANGE ? + &data->pin2 : &data->pin1; diff --git a/0011-opensc-CVE-2023-40661-5of12.patch b/0011-opensc-CVE-2023-40661-5of12.patch new file mode 100644 index 0000000..6fe9d34 --- /dev/null +++ b/0011-opensc-CVE-2023-40661-5of12.patch @@ -0,0 +1,61 @@ +From dd138d0600a1acd7991989127f36827e5836b24e Mon Sep 17 00:00:00 2001 +From: "Ingo Struck (git commits)" +Date: Thu, 16 Mar 2023 22:12:49 +0100 +Subject: [PATCH] Fixed loop in sc_hsm_write_ef, handle offset into buf and + into EF separately + +--- + src/libopensc/card-sc-hsm.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c +index 1b707f08df..c100a87c2a 100644 +--- a/src/libopensc/card-sc-hsm.c ++++ b/src/libopensc/card-sc-hsm.c +@@ -782,7 +782,7 @@ static int sc_hsm_logout(sc_card_t * card) + } + + +- ++/* NOTE: idx is an offset into the card's file, not into buf */ + static int sc_hsm_read_binary(sc_card_t *card, + unsigned int idx, u8 *buf, size_t count, + unsigned long flags) +@@ -823,7 +823,7 @@ static int sc_hsm_read_binary(sc_card_t *card, + } + + +- ++/* NOTE: idx is an offset into the card's file, not into buf */ + static int sc_hsm_write_ef(sc_card_t *card, + int fid, + unsigned int idx, const u8 *buf, size_t count) +@@ -848,7 +848,8 @@ static int sc_hsm_write_ef(sc_card_t *card, + // 8 bytes are required for T54(4) and T53(4) + size_t blk_size = card->max_send_size - 8; + size_t to_send = 0; +- size_t offset = (size_t) idx; ++ size_t file_offset = (size_t) idx; ++ size_t offset = 0; + do { + len = 0; + to_send = bytes_left >= blk_size ? blk_size : bytes_left; +@@ -856,8 +857,8 @@ static int sc_hsm_write_ef(sc_card_t *card, + // ASN1 0x54 offset + *p++ = 0x54; + *p++ = 0x02; +- *p++ = (offset >> 8) & 0xFF; +- *p++ = offset & 0xFF; ++ *p++ = (file_offset >> 8) & 0xFF; ++ *p++ = file_offset & 0xFF; + // ASN1 0x53 to_send + *p++ = 0x53; + if (to_send < 128) { +@@ -890,6 +891,7 @@ static int sc_hsm_write_ef(sc_card_t *card, + + bytes_left -= to_send; + offset += to_send; ++ file_offset += to_send; + } while (0 < bytes_left); + + err: diff --git a/0012-opensc-CVE-2023-40661-6of12.patch b/0012-opensc-CVE-2023-40661-6of12.patch new file mode 100644 index 0000000..1323602 --- /dev/null +++ b/0012-opensc-CVE-2023-40661-6of12.patch @@ -0,0 +1,25 @@ +From c449a181a6988cc1e8dc8764d23574e48cdc3fa6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= +Date: Mon, 19 Jun 2023 16:14:51 +0200 +Subject: [PATCH] pkcs15-cflex: check path length to prevent underflow + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 +--- + src/pkcs15init/pkcs15-cflex.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c +index d06568073d..ce1d48e62c 100644 +--- a/src/pkcs15init/pkcs15-cflex.c ++++ b/src/pkcs15init/pkcs15-cflex.c +@@ -56,6 +56,9 @@ cflex_delete_file(sc_profile_t *profile, sc_pkcs15_card_t *p15card, sc_file_t *d + int r = 0; + /* Select the parent DF */ + path = df->path; ++ if (path.len < 2) { ++ return SC_ERROR_INVALID_ARGUMENTS; ++ } + path.len -= 2; + r = sc_select_file(p15card->card, &path, &parent); + if (r < 0) diff --git a/0013-opensc-CVE-2023-40661-7of12.patch b/0013-opensc-CVE-2023-40661-7of12.patch new file mode 100644 index 0000000..35c4326 --- /dev/null +++ b/0013-opensc-CVE-2023-40661-7of12.patch @@ -0,0 +1,27 @@ +From 88880db0307a07e33cf2e1592bb029e9c170dfea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= +Date: Wed, 21 Jun 2023 15:48:27 +0200 +Subject: [PATCH] pkcs15-pubkey: free DER value when parsing public key fails + +The der value might be allocated in asn1_decode_entry() +but it is not released when errror occurs. + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59615 +--- + src/libopensc/pkcs15-pubkey.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c +index 4a0ddffbeb..7107c47cbc 100644 +--- a/src/libopensc/pkcs15-pubkey.c ++++ b/src/libopensc/pkcs15-pubkey.c +@@ -351,6 +351,8 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card, + err: + if (r < 0) { + sc_pkcs15_free_pubkey_info(info); ++ if (der->len) ++ free(der->value); + } + + LOG_FUNC_RETURN(ctx, r); diff --git a/0014-opensc-CVE-2023-40661-8of12.patch b/0014-opensc-CVE-2023-40661-8of12.patch new file mode 100644 index 0000000..6b40c74 --- /dev/null +++ b/0014-opensc-CVE-2023-40661-8of12.patch @@ -0,0 +1,29 @@ +From 638a5007a5d240d6fa901aa822cfeef94fe36e85 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= +Date: Thu, 10 Aug 2023 12:20:33 +0200 +Subject: [PATCH] pkcs15-pubkey.c: Avoid double-free + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 +--- + src/libopensc/pkcs15-pubkey.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c +index 7107c47cbc..49b514968b 100644 +--- a/src/libopensc/pkcs15-pubkey.c ++++ b/src/libopensc/pkcs15-pubkey.c +@@ -351,8 +351,12 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card, + err: + if (r < 0) { + sc_pkcs15_free_pubkey_info(info); +- if (der->len) ++ if (der->len) { + free(der->value); ++ /* der points to obj->content */ ++ obj->content.value = NULL; ++ obj->content.len = 0; ++ } + } + + LOG_FUNC_RETURN(ctx, r); diff --git a/0015-opensc-CVE-2023-40661-9of12.patch b/0015-opensc-CVE-2023-40661-9of12.patch new file mode 100644 index 0000000..cedde52 --- /dev/null +++ b/0015-opensc-CVE-2023-40661-9of12.patch @@ -0,0 +1,27 @@ +From ce7fcdaa35196706a83fe982900228e15464f928 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 17 Aug 2023 11:55:06 +0200 +Subject: [PATCH] oberthur: Avoid heap buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 +--- + src/pkcs15init/pkcs15-oberthur.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c +index 377e28948e..b20bd6e6c4 100644 +--- a/src/pkcs15init/pkcs15-oberthur.c ++++ b/src/pkcs15init/pkcs15-oberthur.c +@@ -531,7 +531,9 @@ cosm_new_file(struct sc_profile *profile, struct sc_card *card, + } + + file->id |= (num & 0xFF); +- file->path.value[file->path.len-1] |= (num & 0xFF); ++ if (file->path.len) { ++ file->path.value[file->path.len - 1] |= (num & 0xFF); ++ } + if (file->type == SC_FILE_TYPE_INTERNAL_EF) { + file->ef_structure = structure; + } diff --git a/0016-opensc-CVE-2023-40661-10of12.patch b/0016-opensc-CVE-2023-40661-10of12.patch new file mode 100644 index 0000000..6300e70 --- /dev/null +++ b/0016-opensc-CVE-2023-40661-10of12.patch @@ -0,0 +1,25 @@ +From 440ca666eff10cc7011901252d20f3fc4ea23651 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 17 Aug 2023 13:41:36 +0200 +Subject: [PATCH] setcos: Avoid buffer underflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 +--- + src/pkcs15init/pkcs15-setcos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/src/pkcs15init/pkcs15-setcos.c ++++ b/src/pkcs15init/pkcs15-setcos.c +@@ -349,6 +349,10 @@ setcos_create_key(sc_profile_t *profile, + + /* Replace the path of instantiated key template by the path from the object data. */ + memcpy(&file->path, &key_info->path, sizeof(file->path)); ++ if (file->path.len < 2) { ++ sc_file_free(file); ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path"); ++ } + file->id = file->path.value[file->path.len - 2] * 0x100 + + file->path.value[file->path.len - 1]; + diff --git a/0017-opensc-CVE-2023-40661-11of12.patch b/0017-opensc-CVE-2023-40661-11of12.patch new file mode 100644 index 0000000..e4649a8 --- /dev/null +++ b/0017-opensc-CVE-2023-40661-11of12.patch @@ -0,0 +1,38 @@ +From 245efe608d083fd4e4ec96793fdefd218e26fde7 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 17 Aug 2023 13:54:42 +0200 +Subject: [PATCH] pkcs15: Avoid buffer overflow when getting last update + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 +--- + src/libopensc/pkcs15.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/src/libopensc/pkcs15.c ++++ b/src/libopensc/pkcs15.c +@@ -528,7 +528,7 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1 + struct sc_context *ctx = p15card->card->ctx; + struct sc_file *file = NULL; + struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; +- unsigned char *content, last_update[32]; ++ unsigned char *content, last_update[32] = {0}; + size_t lupdate_len = sizeof(last_update) - 1; + int r, content_len; + size_t size; +@@ -564,9 +564,11 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1 + if (r < 0) + return NULL; + +- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); +- if (!p15card->tokeninfo->last_update.gtime) +- return NULL; ++ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) { ++ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); ++ if (!p15card->tokeninfo->last_update.gtime) ++ return NULL; ++ } + done: + sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime); + return p15card->tokeninfo->last_update.gtime; diff --git a/0018-opensc-CVE-2023-40661-12of12.patch b/0018-opensc-CVE-2023-40661-12of12.patch new file mode 100644 index 0000000..724d6fc --- /dev/null +++ b/0018-opensc-CVE-2023-40661-12of12.patch @@ -0,0 +1,26 @@ +From 41d61da8481582e12710b5858f8b635e0a71ab5e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 20 Sep 2023 10:13:57 +0200 +Subject: [PATCH] oberthur: Avoid buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 +--- + src/pkcs15init/pkcs15-oberthur.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c +index ad2cabd530..c441ab1e76 100644 +--- a/src/pkcs15init/pkcs15-oberthur.c ++++ b/src/pkcs15init/pkcs15-oberthur.c +@@ -715,6 +715,9 @@ cosm_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card, + if (object->type != SC_PKCS15_TYPE_PRKEY_RSA) + LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported"); + ++ if (key_info->path.len < 2) ++ LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long"); ++ + sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id)); + /* Here, the path of private key file should be defined. + * Nevertheless, we need to instantiate private key to get the ACLs. */ diff --git a/opensc.spec b/opensc.spec index 670fa82..f6c5c6d 100644 --- a/opensc.spec +++ b/opensc.spec @@ -3,7 +3,7 @@ Name: opensc Version: 0.21.0 -Release: 8 +Release: 9 License: LGPLv2.1+ Summary: Smart card library and applications URL: https://github.com/OpenSC/OpenSC/wiki @@ -40,6 +40,18 @@ Patch19: backport-0005-CVE-2021-42782-PIV-Improved-parsing.patch Patch20: backport-0006-CVE-2023-2977-correct_left_length_calculation_to_fix_buffer.patch Patch21: 0003-opensc-CVE-2023-40660-1of2.patch Patch22: 0004-opensc-CVE-2023-40660-2of2.patch +Patch23: 0007-opensc-CVE-2023-40661-1of12.patch +Patch24: 0008-opensc-CVE-2023-40661-2of12.patch +Patch25: 0009-opensc-CVE-2023-40661-3of12.patch +Patch26: 0010-opensc-CVE-2023-40661-4of12.patch +Patch27: 0011-opensc-CVE-2023-40661-5of12.patch +Patch28: 0012-opensc-CVE-2023-40661-6of12.patch +Patch29: 0013-opensc-CVE-2023-40661-7of12.patch +Patch30: 0014-opensc-CVE-2023-40661-8of12.patch +Patch31: 0015-opensc-CVE-2023-40661-9of12.patch +Patch32: 0016-opensc-CVE-2023-40661-10of12.patch +Patch33: 0017-opensc-CVE-2023-40661-11of12.patch +Patch34: 0018-opensc-CVE-2023-40661-12of12.patch %description OpenSC provides a set of libraries and utilities to work with smart cards. @@ -158,6 +170,9 @@ make check %{_datadir}/opensc/ %changelog +* Wed Nov 8 2023 dillon chen - 0.21.0-9 +- fix CVE-2023-40661 + * Mon Oct 23 2023 dillon chen - 0.21.0-8 - fix CVE-2023-40660 -- Gitee