summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhang Peng <peng.zhang1.cn@windriver.com>2025-01-15 15:24:28 +0800
committerArmin Kuster <akuster808@gmail.com>2025-01-22 19:28:56 -0500
commitc028b3652715600a0bed43314c4f1b53d7e0181e (patch)
tree4b63677a7015bad9a15c1ae88f3c0fc257930c44
parentd51c6495e018725479b08968eef6436a4ec2433d (diff)
downloadmeta-openembedded-c028b3652715600a0bed43314c4f1b53d7e0181e.tar.gz
opensc: fix CVE-2024-45620
CVE-2024-45620: A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45620] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168] [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd] [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch42
-rw-r--r--meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch34
-rw-r--r--meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch50
-rw-r--r--meta-oe/recipes-support/opensc/opensc_0.22.0.bb3
4 files changed, 129 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
new file mode 100644
index 0000000000..bacf75960b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
@@ -0,0 +1,42 @@
1From a1bcc6516f43d570899820d259b71c53f8049168 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
3Date: Thu, 18 Jul 2024 09:23:20 +0200
4Subject: [PATCH] pkcs15-starcos: Check length of file to be non-zero
5
6Thanks Matteo Marini for report
7https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
8
9fuzz_pkcs15init/20
10
11CVE: CVE-2024-45620
12Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
13
14Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
15---
16 src/pkcs15init/pkcs15-starcos.c | 4 +++-
17 1 file changed, 3 insertions(+), 1 deletion(-)
18
19diff --git a/src/pkcs15init/pkcs15-starcos.c b/src/pkcs15init/pkcs15-starcos.c
20index bde7413a46..267ad2b04a 100644
21--- a/src/pkcs15init/pkcs15-starcos.c
22+++ b/src/pkcs15init/pkcs15-starcos.c
23@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
24 return r;
25 len = tfile->size;
26 sc_file_free(tfile);
27+ if (len == 0)
28+ return SC_ERROR_INTERNAL;
29 buf = malloc(len);
30 if (!buf)
31 return SC_ERROR_OUT_OF_MEMORY;
32@@ -682,7 +684,7 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
33 if (num_keys == 0xff)
34 num_keys = 0;
35 /* encode public key */
36- keylen = starcos_encode_pukey(rsa, NULL, kinfo);
37+ keylen = starcos_encode_pukey(rsa, NULL, kinfo);
38 if (!keylen) {
39 free(buf);
40 return SC_ERROR_INTERNAL;
41--
422.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
new file mode 100644
index 0000000000..65d596b92b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
@@ -0,0 +1,34 @@
1From 6baa19596598169d652659863470a60c5ed79ecd Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
3Date: Thu, 18 Jul 2024 09:35:23 +0200
4Subject: [PATCH] iasecc-sdo: Check length of data before dereferencing
5
6Thanks Matteo Marini for report
7https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
8
9fuzz_pkcs15init/21
10
11CVE: CVE-2024-45620
12Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
13
14Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
15---
16 src/libopensc/iasecc-sdo.c | 3 +++
17 1 file changed, 3 insertions(+)
18
19diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
20index 417b6dd57d..98402a4e3f 100644
21--- a/src/libopensc/iasecc-sdo.c
22+++ b/src/libopensc/iasecc-sdo.c
23@@ -729,6 +729,9 @@ iasecc_sdo_parse(struct sc_card *card, unsigned char *data, size_t data_len, str
24
25 LOG_FUNC_CALLED(ctx);
26
27+ if (data == NULL || data_len < 2)
28+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
29+
30 if (*data == IASECC_SDO_TEMPLATE_TAG) {
31 size_size = iasecc_parse_size(data + 1, &size);
32 LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
33--
342.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch
new file mode 100644
index 0000000000..5bc8805e65
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch
@@ -0,0 +1,50 @@
1From 468a314d76b26f724a551f2eb339dd17c856cf18 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
3Date: Thu, 18 Jul 2024 11:03:46 +0200
4Subject: [PATCH] iasecc-sdo: Check length of data when parsing
5
6Thanks Matteo Marini for report
7https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
8
9fuzz_pkcs15init/27,29
10
11CVE: CVE-2024-45620
12Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]
13
14Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
15---
16 src/libopensc/iasecc-sdo.c | 9 +++++++++
17 1 file changed, 9 insertions(+)
18
19diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
20index 4d6be7ad4..bdbd5ab17 100644
21--- a/src/libopensc/iasecc-sdo.c
22+++ b/src/libopensc/iasecc-sdo.c
23@@ -334,16 +334,25 @@ iasecc_se_parse(struct sc_card *card, unsigned char *data, size_t data_len, stru
24
25 LOG_FUNC_CALLED(ctx);
26
27+ if (data_len < 1)
28+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
29+
30 if (*data == IASECC_SDO_TEMPLATE_TAG) {
31 size_size = iasecc_parse_size(data + 1, &size);
32 LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
33
34+ if (data_len - 1 < size)
35+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
36+
37 data += size_size + 1;
38 data_len = size;
39 sc_log(ctx,
40 "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u",
41 size, size_size);
42
43+ if (data_len < 3)
44+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
45+
46 if (*data != IASECC_SDO_TAG_HEADER)
47 LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
48
49--
502.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 5e840555b0..52e29a5d92 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -52,6 +52,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
52 file://CVE-2024-45619-0004.patch \ 52 file://CVE-2024-45619-0004.patch \
53 file://CVE-2024-45619-0005.patch \ 53 file://CVE-2024-45619-0005.patch \
54 file://CVE-2024-45619-0006.patch \ 54 file://CVE-2024-45619-0006.patch \
55 file://CVE-2024-45620-0001.patch \
56 file://CVE-2024-45620-0002.patch \
57 file://CVE-2024-45620-0003.patch \
55 " 58 "
56 59
57# CVE-2021-34193 is a duplicate CVE covering the 5 individual 60# CVE-2021-34193 is a duplicate CVE covering the 5 individual