opensc: fix CVE-2024-45618

CVE-2024-45618: A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45618] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d] [https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-01-15 15:24:26 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-01-22 19:28:50 -0500
commit: 47939c2bdc8fd068e0a47c64664bc30e60717fb3 (patch)
tree: 782d8b4b94b3d2e2838229e4a57a0df213e7edb9
parent: 4fff381a2257edcf6d1119973bc347233dadfdb3 (diff)
download: meta-openembedded-47939c2bdc8fd068e0a47c64664bc30e60717fb3.tar.gz
3 files changed, 86 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch
new file mode 100644
index 0000000000..76311bd1a2
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch
@@ -0,0 +1,42 @@
+From 8632ec172beda894581d67eaa991e519a7874f7d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 11:18:52 +0200
+Subject: [PATCH] pkcs15-tcos: Check return value of serial num conversion
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15_encode/21
+CVE: CVE-2024-45618
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index a78b9aee5..9f44de6e5 100644
+--- a/src/libopensc/pkcs15-tcos.c
+++ b/src/libopensc/pkcs15-tcos.c
+@@ -530,10 +530,15 @@ int sc_pkcs15emu_tcos_init_ex(
+        /* get the card serial number */
+        r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
+        if (r < 0) {
+-               sc_log(ctx,  "unable to get ICCSN\n");
+               sc_log(ctx, "unable to get ICCSN");
+                return SC_ERROR_WRONG_CARD;
+        }
+-       sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0);
+       r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0);
+       if (r != SC_SUCCESS) {
+               sc_log(ctx, "serial number invalid");
+               return SC_ERROR_INTERNAL;
+       }
+
+        serial[19] = '\0';
+        set_string(&p15card->tokeninfo->serial_number, serial);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch
new file mode 100644
index 0000000000..82e52e3cc3
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch
@@ -0,0 +1,42 @@
+From f9d68660f032ad4d7803431d5fc7577ea8792ac3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 14:56:22 +0200
+Subject: [PATCH] pkcs15-lib: Report transport key error
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15init/17, fuzz_pkcs15init/18
+CVE: CVE-2024-45618
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index f297a5f48..f4cbaa694 100644
+--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
+@@ -3767,13 +3767,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car
+        if (callbacks.get_key)   {
+                rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize);
+                LOG_TEST_RET(ctx, rv, "Cannot get key");
+-       }
+-       else if (rv >= 0)  {
+       } else if (rv >= 0) {
+                if (*pinsize < defsize)
+                        LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error");
+ 
+                memcpy(pinbuf, data.key_data, data.len);
+                *pinsize = data.len;
+       } else {
+               /* pinbuf and pinsize were not filled */
+               LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error");
+        }
+ 
+        memset(&auth_info, 0, sizeof(auth_info));
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 89e2e0d5a5..641d6a807f 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -44,6 +44,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2024-45617-0001.patch \
           file://CVE-2024-45617-0002.patch \
           file://CVE-2024-45617-0003.patch \
+           file://CVE-2024-45618-0001.patch \
+           file://CVE-2024-45618-0002.patch \
          "
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-01-15 15:24:26 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-01-22 19:28:50 -0500
commit	47939c2bdc8fd068e0a47c64664bc30e60717fb3 (patch)
tree	782d8b4b94b3d2e2838229e4a57a0df213e7edb9
parent	4fff381a2257edcf6d1119973bc347233dadfdb3 (diff)
download	meta-openembedded-47939c2bdc8fd068e0a47c64664bc30e60717fb3.tar.gz

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch new file mode 100644 index 0000000000..76311bd1a2 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch
@@ -0,0 +1,42 @@
		1	From 8632ec172beda894581d67eaa991e519a7874f7d Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Wed, 17 Jul 2024 11:18:52 +0200
		4	Subject: [PATCH] pkcs15-tcos: Check return value of serial num conversion
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15_encode/21
		10
		11	CVE: CVE-2024-45618
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/pkcs15-tcos.c \| 9 +++++++--
		17	1 file changed, 7 insertions(+), 2 deletions(-)
		18
		19	diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
		20	index a78b9aee5..9f44de6e5 100644
		21	--- a/src/libopensc/pkcs15-tcos.c
		22	+++ b/src/libopensc/pkcs15-tcos.c
		23	@@ -530,10 +530,15 @@ int sc_pkcs15emu_tcos_init_ex(
		24	/* get the card serial number */
		25	r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
		26	if (r < 0) {
		27	- sc_log(ctx, "unable to get ICCSN\n");
		28	+ sc_log(ctx, "unable to get ICCSN");
		29	return SC_ERROR_WRONG_CARD;
		30	}
		31	- sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0);
		32	+ r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0);
		33	+ if (r != SC_SUCCESS) {
		34	+ sc_log(ctx, "serial number invalid");
		35	+ return SC_ERROR_INTERNAL;
		36	+ }
		37	+
		38	serial[19] = '\0';
		39	set_string(&p15card->tokeninfo->serial_number, serial);
		40
		41	--
		42	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch new file mode 100644 index 0000000000..82e52e3cc3 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch
@@ -0,0 +1,42 @@
		1	From f9d68660f032ad4d7803431d5fc7577ea8792ac3 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Wed, 17 Jul 2024 14:56:22 +0200
		4	Subject: [PATCH] pkcs15-lib: Report transport key error
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15init/17, fuzz_pkcs15init/18
		10
		11	CVE: CVE-2024-45618
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/pkcs15init/pkcs15-lib.c \| 6 ++++--
		17	1 file changed, 4 insertions(+), 2 deletions(-)
		18
		19	diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
		20	index f297a5f48..f4cbaa694 100644
		21	--- a/src/pkcs15init/pkcs15-lib.c
		22	+++ b/src/pkcs15init/pkcs15-lib.c
		23	@@ -3767,13 +3767,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car
		24	if (callbacks.get_key) {
		25	rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize);
		26	LOG_TEST_RET(ctx, rv, "Cannot get key");
		27	- }
		28	- else if (rv >= 0) {
		29	+ } else if (rv >= 0) {
		30	if (*pinsize < defsize)
		31	LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error");
		32
		33	memcpy(pinbuf, data.key_data, data.len);
		34	*pinsize = data.len;
		35	+ } else {
		36	+ /* pinbuf and pinsize were not filled */
		37	+ LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error");
		38	}
		39
		40	memset(&auth_info, 0, sizeof(auth_info));
		41	--
		42	2.34.1


diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index 89e2e0d5a5..641d6a807f 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -44,6 +44,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
44	file://CVE-2024-45617-0001.patch \	44	file://CVE-2024-45617-0001.patch \
45	file://CVE-2024-45617-0002.patch \	45	file://CVE-2024-45617-0002.patch \
46	file://CVE-2024-45617-0003.patch \	46	file://CVE-2024-45617-0003.patch \
		47	file://CVE-2024-45618-0001.patch \
		48	file://CVE-2024-45618-0002.patch \
47	"	49	"
48		50
49	# CVE-2021-34193 is a duplicate CVE covering the 5 individual	51	# CVE-2021-34193 is a duplicate CVE covering the 5 individual