diff options
author | Zhang Peng <peng.zhang1.cn@windriver.com> | 2025-01-15 15:24:28 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2025-01-22 19:28:56 -0500 |
commit | c028b3652715600a0bed43314c4f1b53d7e0181e (patch) | |
tree | 4b63677a7015bad9a15c1ae88f3c0fc257930c44 | |
parent | d51c6495e018725479b08968eef6436a4ec2433d (diff) | |
download | meta-openembedded-c028b3652715600a0bed43314c4f1b53d7e0181e.tar.gz |
opensc: fix CVE-2024-45620
CVE-2024-45620:
A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use
a crafted USB Device or Smart Card, which would present the system with a specially
crafted response to APDUs. When buffers are partially filled with data, initialized
parts of the buffer can be incorrectly accessed.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45620]
Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
[https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
[https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
4 files changed, 129 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch new file mode 100644 index 0000000000..bacf75960b --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From a1bcc6516f43d570899820d259b71c53f8049168 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> | ||
3 | Date: Thu, 18 Jul 2024 09:23:20 +0200 | ||
4 | Subject: [PATCH] pkcs15-starcos: Check length of file to be non-zero | ||
5 | |||
6 | Thanks Matteo Marini for report | ||
7 | https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 | ||
8 | |||
9 | fuzz_pkcs15init/20 | ||
10 | |||
11 | CVE: CVE-2024-45620 | ||
12 | Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168] | ||
13 | |||
14 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
15 | --- | ||
16 | src/pkcs15init/pkcs15-starcos.c | 4 +++- | ||
17 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/src/pkcs15init/pkcs15-starcos.c b/src/pkcs15init/pkcs15-starcos.c | ||
20 | index bde7413a46..267ad2b04a 100644 | ||
21 | --- a/src/pkcs15init/pkcs15-starcos.c | ||
22 | +++ b/src/pkcs15init/pkcs15-starcos.c | ||
23 | @@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card, | ||
24 | return r; | ||
25 | len = tfile->size; | ||
26 | sc_file_free(tfile); | ||
27 | + if (len == 0) | ||
28 | + return SC_ERROR_INTERNAL; | ||
29 | buf = malloc(len); | ||
30 | if (!buf) | ||
31 | return SC_ERROR_OUT_OF_MEMORY; | ||
32 | @@ -682,7 +684,7 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card, | ||
33 | if (num_keys == 0xff) | ||
34 | num_keys = 0; | ||
35 | /* encode public key */ | ||
36 | - keylen = starcos_encode_pukey(rsa, NULL, kinfo); | ||
37 | + keylen = starcos_encode_pukey(rsa, NULL, kinfo); | ||
38 | if (!keylen) { | ||
39 | free(buf); | ||
40 | return SC_ERROR_INTERNAL; | ||
41 | -- | ||
42 | 2.34.1 | ||
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch new file mode 100644 index 0000000000..65d596b92b --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From 6baa19596598169d652659863470a60c5ed79ecd Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> | ||
3 | Date: Thu, 18 Jul 2024 09:35:23 +0200 | ||
4 | Subject: [PATCH] iasecc-sdo: Check length of data before dereferencing | ||
5 | |||
6 | Thanks Matteo Marini for report | ||
7 | https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 | ||
8 | |||
9 | fuzz_pkcs15init/21 | ||
10 | |||
11 | CVE: CVE-2024-45620 | ||
12 | Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd] | ||
13 | |||
14 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
15 | --- | ||
16 | src/libopensc/iasecc-sdo.c | 3 +++ | ||
17 | 1 file changed, 3 insertions(+) | ||
18 | |||
19 | diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c | ||
20 | index 417b6dd57d..98402a4e3f 100644 | ||
21 | --- a/src/libopensc/iasecc-sdo.c | ||
22 | +++ b/src/libopensc/iasecc-sdo.c | ||
23 | @@ -729,6 +729,9 @@ iasecc_sdo_parse(struct sc_card *card, unsigned char *data, size_t data_len, str | ||
24 | |||
25 | LOG_FUNC_CALLED(ctx); | ||
26 | |||
27 | + if (data == NULL || data_len < 2) | ||
28 | + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); | ||
29 | + | ||
30 | if (*data == IASECC_SDO_TEMPLATE_TAG) { | ||
31 | size_size = iasecc_parse_size(data + 1, &size); | ||
32 | LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE"); | ||
33 | -- | ||
34 | 2.34.1 | ||
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch new file mode 100644 index 0000000000..5bc8805e65 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From 468a314d76b26f724a551f2eb339dd17c856cf18 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> | ||
3 | Date: Thu, 18 Jul 2024 11:03:46 +0200 | ||
4 | Subject: [PATCH] iasecc-sdo: Check length of data when parsing | ||
5 | |||
6 | Thanks Matteo Marini for report | ||
7 | https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 | ||
8 | |||
9 | fuzz_pkcs15init/27,29 | ||
10 | |||
11 | CVE: CVE-2024-45620 | ||
12 | Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18] | ||
13 | |||
14 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
15 | --- | ||
16 | src/libopensc/iasecc-sdo.c | 9 +++++++++ | ||
17 | 1 file changed, 9 insertions(+) | ||
18 | |||
19 | diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c | ||
20 | index 4d6be7ad4..bdbd5ab17 100644 | ||
21 | --- a/src/libopensc/iasecc-sdo.c | ||
22 | +++ b/src/libopensc/iasecc-sdo.c | ||
23 | @@ -334,16 +334,25 @@ iasecc_se_parse(struct sc_card *card, unsigned char *data, size_t data_len, stru | ||
24 | |||
25 | LOG_FUNC_CALLED(ctx); | ||
26 | |||
27 | + if (data_len < 1) | ||
28 | + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); | ||
29 | + | ||
30 | if (*data == IASECC_SDO_TEMPLATE_TAG) { | ||
31 | size_size = iasecc_parse_size(data + 1, &size); | ||
32 | LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE"); | ||
33 | |||
34 | + if (data_len - 1 < size) | ||
35 | + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); | ||
36 | + | ||
37 | data += size_size + 1; | ||
38 | data_len = size; | ||
39 | sc_log(ctx, | ||
40 | "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u", | ||
41 | size, size_size); | ||
42 | |||
43 | + if (data_len < 3) | ||
44 | + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); | ||
45 | + | ||
46 | if (*data != IASECC_SDO_TAG_HEADER) | ||
47 | LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); | ||
48 | |||
49 | -- | ||
50 | 2.34.1 | ||
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index 5e840555b0..52e29a5d92 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb | |||
@@ -52,6 +52,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ | |||
52 | file://CVE-2024-45619-0004.patch \ | 52 | file://CVE-2024-45619-0004.patch \ |
53 | file://CVE-2024-45619-0005.patch \ | 53 | file://CVE-2024-45619-0005.patch \ |
54 | file://CVE-2024-45619-0006.patch \ | 54 | file://CVE-2024-45619-0006.patch \ |
55 | file://CVE-2024-45620-0001.patch \ | ||
56 | file://CVE-2024-45620-0002.patch \ | ||
57 | file://CVE-2024-45620-0003.patch \ | ||
55 | " | 58 | " |
56 | 59 | ||
57 | # CVE-2021-34193 is a duplicate CVE covering the 5 individual | 60 | # CVE-2021-34193 is a duplicate CVE covering the 5 individual |