opensc: fix CVE-2024-8443

CVE-2024-8443: The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note that this was partially fixed in 1.1.0 due to the missing authorization protection that was added. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-8433] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e] [https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-01-15 15:24:22 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-01-22 19:26:06 -0500
commit: 394846f98899f17aca8c84560070fb5aada6ebdf (patch)
tree: 506fc1a433e3d54eb40478c74ee11bd5f419b34e
parent: 7e91b406fa1bc43bc8086733dc447199ecbe2919 (diff)
download: meta-openembedded-394846f98899f17aca8c84560070fb5aada6ebdf.tar.gz
3 files changed, 117 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
new file mode 100644
index 0000000000..7d80aba769
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
@@ -0,0 +1,60 @@
+From b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 12 Aug 2024 19:02:14 +0200
+Subject: [PATCH] openpgp: Do not accept non-matching key responses
+When generating RSA key pair using PKCS#15 init, the driver could accept
+responses relevant to ECC keys, which made further processing in the
+pkcs15-init failing/accessing invalid parts of structures.
+Thanks oss-fuzz!
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+CVE: CVE-2024-8443
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-openpgp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index fad32f0ce..f99ec0db9 100644
+--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
+@@ -2877,6 +2877,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len,
+ 
+                /* RSA modulus */
+                if (tag == 0x0081) {
+                       if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
+                               LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+                       }
+                        if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len)  /* modulus_len is in bits */
+                                || key_info->u.rsa.modulus == NULL) {
+ 
+@@ -2892,6 +2895,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len,
+                }
+                /* RSA public exponent */
+                else if (tag == 0x0082) {
+                       if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
+                               LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+                       }
+                        if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len)  /* exponent_len is in bits */
+                                || key_info->u.rsa.exponent == NULL) {
+ 
+@@ -2907,6 +2913,10 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len,
+                }
+                /* ECC public key */
+                else if (tag == 0x0086) {
+                       if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA &&
+                                       key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) {
+                               LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+                       }
+                        /* set the output data */
+                        /* len is ecpoint length + format byte
+                         * see section 7.2.14 of 3.3.1 specs */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
new file mode 100644
index 0000000000..30a7e63a72
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
@@ -0,0 +1,55 @@
+From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 15 Aug 2024 11:13:47 +0200
+Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint
+Fix also surrounding code to return error (not just log it)
+when some step fails.
+Thanks oss-fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+CVE: CVE-2024-8443
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-openpgp.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index f99ec0db9..3957440de 100644
+--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
+@@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
+        /* update the blob containing fingerprints (00C5) */
+        sc_log(card->ctx, "Updating fingerprint blob 00C5.");
+        fpseq_blob = pgp_find_blob(card, 0x00C5);
+-       if (fpseq_blob == NULL)
+-               LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
+       if (fpseq_blob == NULL) {
+               r = SC_ERROR_OUT_OF_MEMORY;
+               LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
+       }
+       if (20 * key_info->key_id > fpseq_blob->len) {
+               r = SC_ERROR_OBJECT_NOT_VALID;
+               LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");
+       }
+ 
+        /* save the fingerprints sequence */
+        newdata = malloc(fpseq_blob->len);
+-       if (newdata == NULL)
+-               LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
+-                       "Not enough memory to update fingerprint blob 00C5");
+       if (newdata == NULL) {
+               r = SC_ERROR_OUT_OF_MEMORY;
+               LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");
+       }
+ 
+        memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
+        /* move p to the portion holding the fingerprint of the current key */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 834b83d686..822e0ab971 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -24,6 +24,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2023-40661-6.patch \
           file://CVE-2023-40661-7.patch \
           file://CVE-2024-1454.patch \
+           file://CVE-2024-8443-0001.patch \
+           file://CVE-2024-8443-0002.patch \
          "
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-01-15 15:24:22 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-01-22 19:26:06 -0500
commit	394846f98899f17aca8c84560070fb5aada6ebdf (patch)
tree	506fc1a433e3d54eb40478c74ee11bd5f419b34e
parent	7e91b406fa1bc43bc8086733dc447199ecbe2919 (diff)
download	meta-openembedded-394846f98899f17aca8c84560070fb5aada6ebdf.tar.gz

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch new file mode 100644 index 0000000000..7d80aba769 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
@@ -0,0 +1,60 @@
		1	From b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Mon, 12 Aug 2024 19:02:14 +0200
		4	Subject: [PATCH] openpgp: Do not accept non-matching key responses
		5
		6	When generating RSA key pair using PKCS#15 init, the driver could accept
		7	responses relevant to ECC keys, which made further processing in the
		8	pkcs15-init failing/accessing invalid parts of structures.
		9
		10	Thanks oss-fuzz!
		11
		12	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010
		13
		14	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		15
		16	CVE: CVE-2024-8443
		17	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]
		18
		19	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		20	---
		21	src/libopensc/card-openpgp.c \| 10 ++++++++++
		22	1 file changed, 10 insertions(+)
		23
		24	diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
		25	index fad32f0ce..f99ec0db9 100644
		26	--- a/src/libopensc/card-openpgp.c
		27	+++ b/src/libopensc/card-openpgp.c
		28	@@ -2877,6 +2877,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t card, u8 data, size_t data_len,
		29
		30	/* RSA modulus */
		31	if (tag == 0x0081) {
		32	+ if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
		33	+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
		34	+ }
		35	if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len) /* modulus_len is in bits */
		36	\|\| key_info->u.rsa.modulus == NULL) {
		37
		38	@@ -2892,6 +2895,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t card, u8 data, size_t data_len,
		39	}
		40	/* RSA public exponent */
		41	else if (tag == 0x0082) {
		42	+ if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
		43	+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
		44	+ }
		45	if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len) /* exponent_len is in bits */
		46	\|\| key_info->u.rsa.exponent == NULL) {
		47
		48	@@ -2907,6 +2913,10 @@ pgp_parse_and_set_pubkey_output(sc_card_t card, u8 data, size_t data_len,
		49	}
		50	/* ECC public key */
		51	else if (tag == 0x0086) {
		52	+ if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA &&
		53	+ key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) {
		54	+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
		55	+ }
		56	/* set the output data */
		57	/* len is ecpoint length + format byte
		58	* see section 7.2.14 of 3.3.1 specs */
		59	--
		60	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch new file mode 100644 index 0000000000..30a7e63a72 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
@@ -0,0 +1,55 @@
		1	From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Thu, 15 Aug 2024 11:13:47 +0200
		4	Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint
		5
		6	Fix also surrounding code to return error (not just log it)
		7	when some step fails.
		8
		9	Thanks oss-fuzz
		10
		11	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933
		12
		13	Signed-off-by: Jakub Jelen <jjelen@redhat.com>
		14
		15	CVE: CVE-2024-8443
		16	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
		17
		18	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		19	---
		20	src/libopensc/card-openpgp.c \| 17 ++++++++++++-----
		21	1 file changed, 12 insertions(+), 5 deletions(-)
		22
		23	diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
		24	index f99ec0db9..3957440de 100644
		25	--- a/src/libopensc/card-openpgp.c
		26	+++ b/src/libopensc/card-openpgp.c
		27	@@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
		28	/* update the blob containing fingerprints (00C5) */
		29	sc_log(card->ctx, "Updating fingerprint blob 00C5.");
		30	fpseq_blob = pgp_find_blob(card, 0x00C5);
		31	- if (fpseq_blob == NULL)
		32	- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
		33	+ if (fpseq_blob == NULL) {
		34	+ r = SC_ERROR_OUT_OF_MEMORY;
		35	+ LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
		36	+ }
		37	+ if (20 * key_info->key_id > fpseq_blob->len) {
		38	+ r = SC_ERROR_OBJECT_NOT_VALID;
		39	+ LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");
		40	+ }
		41
		42	/* save the fingerprints sequence */
		43	newdata = malloc(fpseq_blob->len);
		44	- if (newdata == NULL)
		45	- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
		46	- "Not enough memory to update fingerprint blob 00C5");
		47	+ if (newdata == NULL) {
		48	+ r = SC_ERROR_OUT_OF_MEMORY;
		49	+ LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");
		50	+ }
		51
		52	memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
		53	/* move p to the portion holding the fingerprint of the current key */
		54	--
		55	2.34.1


diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index 834b83d686..822e0ab971 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -24,6 +24,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
24	file://CVE-2023-40661-6.patch \	24	file://CVE-2023-40661-6.patch \
25	file://CVE-2023-40661-7.patch \	25	file://CVE-2023-40661-7.patch \
26	file://CVE-2024-1454.patch \	26	file://CVE-2024-1454.patch \
		27	file://CVE-2024-8443-0001.patch \
		28	file://CVE-2024-8443-0002.patch \
27	"	29	"
28		30
29	# CVE-2021-34193 is a duplicate CVE covering the 5 individual	31	# CVE-2021-34193 is a duplicate CVE covering the 5 individual