opensc: fix CVE-2024-45619

CVE-2024-45619: A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45619] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d] [https://github.com/OpenSC/OpenSC/commit/a1d8c01c1cabd115dda8c298941d1786fb4c5c2f] [https://github.com/OpenSC/OpenSC/commit/673065630bf4aaf03c370fc791ef6a6239431214] [https://github.com/OpenSC/OpenSC/commit/e20ca25204c9c5e36f53ae92ddf017cd17d07e31] [https://github.com/OpenSC/OpenSC/commit/2b6cd52775b5448f6a993922a30c7a38d9626134] [https://github.com/OpenSC/OpenSC/commit/dd554a2e1e31e6cb75c627c653652696d61e8de8] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-01-15 15:24:27 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-01-22 19:28:53 -0500
commit: d51c6495e018725479b08968eef6436a4ec2433d (patch)
tree: ec0ef5bc17f8eb526132edec754241d1e450969c
parent: 47939c2bdc8fd068e0a47c64664bc30e60717fb3 (diff)
download: meta-openembedded-d51c6495e018725479b08968eef6436a4ec2433d.tar.gz
7 files changed, 359 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch
new file mode 100644
index 0000000000..db2d5f4d82
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch
@@ -0,0 +1,34 @@
+From f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:22:02 +0200
+Subject: [PATCH] pkcs15-tcos: Check number of read bytes for cert
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs11/15
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index a84001e122..4d02a98ee1 100644
+--- a/src/libopensc/pkcs15-tcos.c
+++ b/src/libopensc/pkcs15-tcos.c
+@@ -62,7 +62,8 @@ static int insert_cert(
+                        "Select(%s) failed\n", path);
+                return 1;
+        }
+-       if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){
+       r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
+       if (r <= 0){
+                sc_log(ctx, 
+                        "ReadBinary(%s) failed\n", path);
+                return 2;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch
new file mode 100644
index 0000000000..217bb49196
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch
@@ -0,0 +1,91 @@
+From a1d8c01c1cabd115dda8c298941d1786fb4c5c2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 12:53:52 +0200
+Subject: [PATCH] pkcs15-tcos: Check certificate length before accessing
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15_encode/8
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1d8c01c1cabd115dda8c298941d1786fb4c5c2f]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index 2bd275c4f4..ecaa66edf2 100644
+--- a/src/libopensc/pkcs15-tcos.c
+++ b/src/libopensc/pkcs15-tcos.c
+@@ -45,6 +45,7 @@ static int insert_cert(
+        struct sc_pkcs15_cert_info cert_info;
+        struct sc_pkcs15_object cert_obj;
+        unsigned char cert[20];
+       size_t cert_len = 0;
+        int r;
+ 
+        memset(&cert_info, 0, sizeof(cert_info));
+@@ -57,25 +58,31 @@ static int insert_cert(
+        strlcpy(cert_obj.label, label, sizeof(cert_obj.label));
+        cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;
+ 
+-       if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){
+-               sc_log(ctx, 
+-                       "Select(%s) failed\n", path);
+       if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) {
+               sc_log(ctx, "Select(%s) failed", path);
+                return 1;
+        }
+        r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
+-       if (r <= 0){
+-               sc_log(ctx, 
+-                       "ReadBinary(%s) failed\n", path);
+       if (r <= 0) {
+               sc_log(ctx, "ReadBinary(%s) failed\n", path);
+                return 2;
+        }
+-       if(cert[0]!=0x30 || cert[1]!=0x82){
+-               sc_log(ctx, 
+-                       "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
+       cert_len = r; /* actual number of read bytes */
+       if (cert_len < 7 || (size_t)(7 + cert[5]) > cert_len) {
+               sc_log(ctx, "Invalid certificate length");
+               return 3;
+       }
+       if (cert[0] != 0x30 || cert[1] != 0x82) {
+               sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
+                return 3;
+        }
+ 
+        /* some certificates are prefixed by an OID */
+-       if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){
+       if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) {
+               if ((size_t)(9 + cert[5]) > cert_len) {
+                       sc_log(ctx, "Invalid certificate length");
+                       return 3;
+               }
+                cert_info.path.index=6+cert[5];
+                cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;
+        } else {
+@@ -83,12 +90,12 @@ static int insert_cert(
+                cert_info.path.count=(cert[2]<<8) + cert[3] + 4;
+        }
+ 
+-       r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+-       if(r!=SC_SUCCESS){
+-               sc_log(ctx,  "sc_pkcs15emu_add_x509_cert(%s) failed\n", path);
+       r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+       if (r != SC_SUCCESS) {
+               sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path);
+                return 4;
+        }
+-       sc_log(ctx,  "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count);
+       sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count);
+        return 0;
+ }
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch
new file mode 100644
index 0000000000..9775bf8fbb
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch
@@ -0,0 +1,83 @@
+From 673065630bf4aaf03c370fc791ef6a6239431214 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 09:15:43 +0200
+Subject: [PATCH] pkcs15-gemsafeV1: Check length of buffer for object
+Number of actually read bytes may differ from
+the stated object length.
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15_crypt/15
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/673065630bf4aaf03c370fc791ef6a6239431214]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-gemsafeV1.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+diff --git a/src/libopensc/pkcs15-gemsafeV1.c b/src/libopensc/pkcs15-gemsafeV1.c
+index add4c3e68..46cc420bf 100644
+--- a/src/libopensc/pkcs15-gemsafeV1.c
+++ b/src/libopensc/pkcs15-gemsafeV1.c
+@@ -168,6 +168,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+        struct sc_file *file;
+        size_t objlen, certlen;
+        unsigned int ind, i=0;
+       int read_len;
+ 
+        sc_format_path(GEMSAFE_PATH, &path);
+        r = sc_select_file(card, &path, &file);
+@@ -176,9 +177,11 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+        sc_file_free(file);
+ 
+        /* Initial read */
+-       r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
+-       if (r < 0)
+       read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
+       if (read_len <= 2) {
+               sc_log(card->ctx, "Invalid size of object data: %d", read_len);
+                return SC_ERROR_INTERNAL;
+       }
+ 
+        /* Actual stored object size is encoded in first 2 bytes
+         * (allocated EF space is much greater!)
+@@ -207,7 +210,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+         * the private key.
+         */
+        ind = 2; /* skip length */
+-       while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
+       while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
+                if (ibuf[ind+1] == 0xFE) {
+                        gemsafe_prkeys[i].ref = ibuf[ind+4];
+                        sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
+@@ -234,7 +237,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+        /* Read entire file, then dissect in memory.
+         * Gemalto ClassicClient seems to do it the same way.
+         */
+-       iptr = ibuf + GEMSAFE_READ_QUANTUM;
+       iptr = ibuf + read_len;
+        while ((size_t)(iptr - ibuf) < objlen) {
+                r = sc_read_binary(card, iptr - ibuf, iptr,
+                                   MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0);
+@@ -242,7 +245,14 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+                        sc_log(card->ctx, "Could not read cert object");
+                        return SC_ERROR_INTERNAL;
+                }
+-               iptr += GEMSAFE_READ_QUANTUM;
+               if (r == 0)
+                       break;
+               read_len += r;
+               iptr += r;
+       }
+       if ((size_t)read_len < objlen) {
+               sc_log(card->ctx, "Could not read cert object");
+               return SC_ERROR_INTERNAL;
+        }
+ 
+        /* Search buffer for certificates, they start with 0x3082. */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch
new file mode 100644
index 0000000000..68c8e609a5
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch
@@ -0,0 +1,49 @@
+From e20ca25204c9c5e36f53ae92ddf017cd17d07e31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 10:16:39 +0200
+Subject: [PATCH] pkcs15-setcos: Check length of generated key
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15init/26
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/e20ca25204c9c5e36f53ae92ddf017cd17d07e31]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-setcos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c
+index bfee78cd6..57d5e83bf 100644
+--- a/src/pkcs15init/pkcs15-setcos.c
+++ b/src/pkcs15init/pkcs15-setcos.c
+@@ -498,6 +498,9 @@ setcos_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+                r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj);
+                LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed");
+ 
+               if (data_obj.DataLen < 3 || data_obj.DataLen < pubkey->u.rsa.modulus.len)
+                       LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key");
+
+                keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]);  /* modulus bit length */
+                if (keybits != key_info->modulus_length)  {
+                        sc_log(ctx, 
+@@ -505,10 +508,11 @@ setcos_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+                                 keybits, key_info->modulus_length);
+                        LOG_TEST_RET(ctx, SC_ERROR_PKCS15INIT, "Failed to generate key");
+                }
+-               memcpy (pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
+               memcpy(pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
+       } else {
+               sc_file_free(file);
+        }
+ 
+-       sc_file_free(file);
+        return r;
+ }
+ 
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch
new file mode 100644
index 0000000000..88564e2995
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch
@@ -0,0 +1,33 @@
+From 2b6cd52775b5448f6a993922a30c7a38d9626134 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 11:38:25 +0200
+Subject: [PATCH] pkcs15-sc-hsm: Properly check length of file list
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15init/8
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/2b6cd52775b5448f6a993922a30c7a38d9626134]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-sc-hsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c
+index 71f96cfc56..db1a2b518f 100644
+--- a/src/pkcs15init/pkcs15-sc-hsm.c
+++ b/src/pkcs15init/pkcs15-sc-hsm.c
+@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(struct sc_pkcs15_card *p15card, u8 range)
+        LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier");
+ 
+        for (j = 0; j < 256; j++) {
+-               for (i = 0; i < filelistlength; i += 2) {
+               for (i = 0; i + 1 < filelistlength; i += 2) {
+                        if ((filelist[i] == range) && (filelist[i + 1] == j)) {
+                                break;
+                        }
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch
new file mode 100644
index 0000000000..4e45cc7574
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch
@@ -0,0 +1,63 @@
+From dd554a2e1e31e6cb75c627c653652696d61e8de8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 12:33:31 +0200
+Subject: [PATCH] card-coolkey: Check length of buffer before conversion
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15_reader/3
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/dd554a2e1e31e6cb75c627c653652696d61e8de8]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-coolkey.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index ff3ffd9a7..e0a5ae774 100644
+--- a/src/libopensc/card-coolkey.c
+++ b/src/libopensc/card-coolkey.c
+@@ -1684,6 +1684,7 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+        u8 key_number;
+        size_t params_len;
+        u8 buf[MAX_COMPUTE_BUF + 2];
+       size_t buf_len;
+        u8 *buf_out;
+ 
+        SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+@@ -1724,8 +1725,6 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+                ushort2bebytes(params.init.buf_len, 0);
+        } else {
+                /* The data fits in APDU. Copy it to the params object */
+-               size_t buf_len;
+-
+                params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
+ 
+                params_len = sizeof(params.init) + datalen;
+@@ -1745,6 +1744,7 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+        if (r < 0) {
+                goto done;
+        }
+       buf_len = crypt_out_len_p;
+ 
+        if (datalen > MAX_COMPUTE_BUF) {
+                u8 len_buf[2];
+@@ -1763,7 +1763,12 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+                                        priv->nonce, sizeof(priv->nonce));
+ 
+        } else {
+-               size_t out_length = bebytes2ushort(buf);
+               size_t out_length;
+               if (buf_len < 2) {
+                       r = SC_ERROR_WRONG_LENGTH;
+                       goto done;
+               }
+               out_length = bebytes2ushort(buf);
+                if (out_length > sizeof buf - 2) {
+                        r = SC_ERROR_WRONG_LENGTH;
+                        goto done;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 641d6a807f..5e840555b0 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -46,6 +46,12 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2024-45617-0003.patch \
           file://CVE-2024-45618-0001.patch \
           file://CVE-2024-45618-0002.patch \
+           file://CVE-2024-45619-0001.patch \
+           file://CVE-2024-45619-0002.patch \
+           file://CVE-2024-45619-0003.patch \
+           file://CVE-2024-45619-0004.patch \
+           file://CVE-2024-45619-0005.patch \
+           file://CVE-2024-45619-0006.patch \
          "
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-01-15 15:24:27 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-01-22 19:28:53 -0500
commit	d51c6495e018725479b08968eef6436a4ec2433d (patch)
tree	ec0ef5bc17f8eb526132edec754241d1e450969c
parent	47939c2bdc8fd068e0a47c64664bc30e60717fb3 (diff)
download	meta-openembedded-d51c6495e018725479b08968eef6436a4ec2433d.tar.gz

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch new file mode 100644 index 0000000000..db2d5f4d82 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch
@@ -0,0 +1,34 @@
		1	From f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Tue, 16 Jul 2024 14:22:02 +0200
		4	Subject: [PATCH] pkcs15-tcos: Check number of read bytes for cert
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs11/15
		10
		11	CVE: CVE-2024-45619
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/pkcs15-tcos.c \| 3 ++-
		17	1 file changed, 2 insertions(+), 1 deletion(-)
		18
		19	diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
		20	index a84001e122..4d02a98ee1 100644
		21	--- a/src/libopensc/pkcs15-tcos.c
		22	+++ b/src/libopensc/pkcs15-tcos.c
		23	@@ -62,7 +62,8 @@ static int insert_cert(
		24	"Select(%s) failed\n", path);
		25	return 1;
		26	}
		27	- if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){
		28	+ r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
		29	+ if (r <= 0){
		30	sc_log(ctx,
		31	"ReadBinary(%s) failed\n", path);
		32	return 2;
		33	--
		34	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch new file mode 100644 index 0000000000..217bb49196 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch
@@ -0,0 +1,91 @@
		1	From a1d8c01c1cabd115dda8c298941d1786fb4c5c2f Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Wed, 17 Jul 2024 12:53:52 +0200
		4	Subject: [PATCH] pkcs15-tcos: Check certificate length before accessing
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15_encode/8
		10
		11	CVE: CVE-2024-45619
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1d8c01c1cabd115dda8c298941d1786fb4c5c2f]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/pkcs15-tcos.c \| 35 +++++++++++++++++++++--------------
		17	1 file changed, 21 insertions(+), 14 deletions(-)
		18
		19	diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
		20	index 2bd275c4f4..ecaa66edf2 100644
		21	--- a/src/libopensc/pkcs15-tcos.c
		22	+++ b/src/libopensc/pkcs15-tcos.c
		23	@@ -45,6 +45,7 @@ static int insert_cert(
		24	struct sc_pkcs15_cert_info cert_info;
		25	struct sc_pkcs15_object cert_obj;
		26	unsigned char cert[20];
		27	+ size_t cert_len = 0;
		28	int r;
		29
		30	memset(&cert_info, 0, sizeof(cert_info));
		31	@@ -57,25 +58,31 @@ static int insert_cert(
		32	strlcpy(cert_obj.label, label, sizeof(cert_obj.label));
		33	cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;
		34
		35	- if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){
		36	- sc_log(ctx,
		37	- "Select(%s) failed\n", path);
		38	+ if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) {
		39	+ sc_log(ctx, "Select(%s) failed", path);
		40	return 1;
		41	}
		42	r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
		43	- if (r <= 0){
		44	- sc_log(ctx,
		45	- "ReadBinary(%s) failed\n", path);
		46	+ if (r <= 0) {
		47	+ sc_log(ctx, "ReadBinary(%s) failed\n", path);
		48	return 2;
		49	}
		50	- if(cert[0]!=0x30 \|\| cert[1]!=0x82){
		51	- sc_log(ctx,
		52	- "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
		53	+ cert_len = r; /* actual number of read bytes */
		54	+ if (cert_len < 7 \|\| (size_t)(7 + cert[5]) > cert_len) {
		55	+ sc_log(ctx, "Invalid certificate length");
		56	+ return 3;
		57	+ }
		58	+ if (cert[0] != 0x30 \|\| cert[1] != 0x82) {
		59	+ sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
		60	return 3;
		61	}
		62
		63	/* some certificates are prefixed by an OID */
		64	- if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){
		65	+ if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) {
		66	+ if ((size_t)(9 + cert[5]) > cert_len) {
		67	+ sc_log(ctx, "Invalid certificate length");
		68	+ return 3;
		69	+ }
		70	cert_info.path.index=6+cert[5];
		71	cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;
		72	} else {
		73	@@ -83,12 +90,12 @@ static int insert_cert(
		74	cert_info.path.count=(cert[2]<<8) + cert[3] + 4;
		75	}
		76
		77	- r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
		78	- if(r!=SC_SUCCESS){
		79	- sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed\n", path);
		80	+ r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
		81	+ if (r != SC_SUCCESS) {
		82	+ sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path);
		83	return 4;
		84	}
		85	- sc_log(ctx, "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count);
		86	+ sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count);
		87	return 0;
		88	}
		89
		90	--
		91	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch new file mode 100644 index 0000000000..9775bf8fbb --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch
@@ -0,0 +1,83 @@
		1	From 673065630bf4aaf03c370fc791ef6a6239431214 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Wed, 17 Jul 2024 09:15:43 +0200
		4	Subject: [PATCH] pkcs15-gemsafeV1: Check length of buffer for object
		5
		6	Number of actually read bytes may differ from
		7	the stated object length.
		8
		9	Thanks Matteo Marini for report
		10	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		11
		12	fuzz_pkcs15_crypt/15
		13
		14	CVE: CVE-2024-45619
		15	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/673065630bf4aaf03c370fc791ef6a6239431214]
		16
		17	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		18	---
		19	src/libopensc/pkcs15-gemsafeV1.c \| 20 +++++++++++++++-----
		20	1 file changed, 15 insertions(+), 5 deletions(-)
		21
		22	diff --git a/src/libopensc/pkcs15-gemsafeV1.c b/src/libopensc/pkcs15-gemsafeV1.c
		23	index add4c3e68..46cc420bf 100644
		24	--- a/src/libopensc/pkcs15-gemsafeV1.c
		25	+++ b/src/libopensc/pkcs15-gemsafeV1.c
		26	@@ -168,6 +168,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
		27	struct sc_file *file;
		28	size_t objlen, certlen;
		29	unsigned int ind, i=0;
		30	+ int read_len;
		31
		32	sc_format_path(GEMSAFE_PATH, &path);
		33	r = sc_select_file(card, &path, &file);
		34	@@ -176,9 +177,11 @@ static int gemsafe_get_cert_len(sc_card_t *card)
		35	sc_file_free(file);
		36
		37	/* Initial read */
		38	- r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
		39	- if (r < 0)
		40	+ read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
		41	+ if (read_len <= 2) {
		42	+ sc_log(card->ctx, "Invalid size of object data: %d", read_len);
		43	return SC_ERROR_INTERNAL;
		44	+ }
		45
		46	/* Actual stored object size is encoded in first 2 bytes
		47	* (allocated EF space is much greater!)
		48	@@ -207,7 +210,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
		49	* the private key.
		50	*/
		51	ind = 2; /* skip length */
		52	- while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
		53	+ while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
		54	if (ibuf[ind+1] == 0xFE) {
		55	gemsafe_prkeys[i].ref = ibuf[ind+4];
		56	sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
		57	@@ -234,7 +237,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
		58	/* Read entire file, then dissect in memory.
		59	* Gemalto ClassicClient seems to do it the same way.
		60	*/
		61	- iptr = ibuf + GEMSAFE_READ_QUANTUM;
		62	+ iptr = ibuf + read_len;
		63	while ((size_t)(iptr - ibuf) < objlen) {
		64	r = sc_read_binary(card, iptr - ibuf, iptr,
		65	MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0);
		66	@@ -242,7 +245,14 @@ static int gemsafe_get_cert_len(sc_card_t *card)
		67	sc_log(card->ctx, "Could not read cert object");
		68	return SC_ERROR_INTERNAL;
		69	}
		70	- iptr += GEMSAFE_READ_QUANTUM;
		71	+ if (r == 0)
		72	+ break;
		73	+ read_len += r;
		74	+ iptr += r;
		75	+ }
		76	+ if ((size_t)read_len < objlen) {
		77	+ sc_log(card->ctx, "Could not read cert object");
		78	+ return SC_ERROR_INTERNAL;
		79	}
		80
		81	/* Search buffer for certificates, they start with 0x3082. */
		82	--
		83	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch new file mode 100644 index 0000000000..68c8e609a5 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch
@@ -0,0 +1,49 @@
		1	From e20ca25204c9c5e36f53ae92ddf017cd17d07e31 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Thu, 18 Jul 2024 10:16:39 +0200
		4	Subject: [PATCH] pkcs15-setcos: Check length of generated key
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15init/26
		10
		11	CVE: CVE-2024-45619
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/e20ca25204c9c5e36f53ae92ddf017cd17d07e31]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/pkcs15init/pkcs15-setcos.c \| 5 ++++-
		17	1 file changed, 4 insertions(+), 1 deletion(-)
		18
		19
		20	diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c
		21	index bfee78cd6..57d5e83bf 100644
		22	--- a/src/pkcs15init/pkcs15-setcos.c
		23	+++ b/src/pkcs15init/pkcs15-setcos.c
		24	@@ -498,6 +498,9 @@ setcos_generate_key(struct sc_profile profile, struct sc_pkcs15_card p15card,
		25	r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj);
		26	LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed");
		27
		28	+ if (data_obj.DataLen < 3 \|\| data_obj.DataLen < pubkey->u.rsa.modulus.len)
		29	+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key");
		30	+
		31	keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]); /* modulus bit length */
		32	if (keybits != key_info->modulus_length) {
		33	sc_log(ctx,
		34	@@ -505,10 +508,11 @@ setcos_generate_key(struct sc_profile profile, struct sc_pkcs15_card p15card,
		35	keybits, key_info->modulus_length);
		36	LOG_TEST_RET(ctx, SC_ERROR_PKCS15INIT, "Failed to generate key");
		37	}
		38	- memcpy (pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
		39	+ memcpy(pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
		40	+ } else {
		41	+ sc_file_free(file);
		42	}
		43
		44	- sc_file_free(file);
		45	return r;
		46	}
		47
		48	--
		49	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch new file mode 100644 index 0000000000..88564e2995 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch
@@ -0,0 +1,33 @@
		1	From 2b6cd52775b5448f6a993922a30c7a38d9626134 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Thu, 18 Jul 2024 11:38:25 +0200
		4	Subject: [PATCH] pkcs15-sc-hsm: Properly check length of file list
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15init/8
		10
		11	CVE: CVE-2024-45619
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/2b6cd52775b5448f6a993922a30c7a38d9626134]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/pkcs15init/pkcs15-sc-hsm.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c
		20	index 71f96cfc56..db1a2b518f 100644
		21	--- a/src/pkcs15init/pkcs15-sc-hsm.c
		22	+++ b/src/pkcs15init/pkcs15-sc-hsm.c
		23	@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(struct sc_pkcs15_card *p15card, u8 range)
		24	LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier");
		25
		26	for (j = 0; j < 256; j++) {
		27	- for (i = 0; i < filelistlength; i += 2) {
		28	+ for (i = 0; i + 1 < filelistlength; i += 2) {
		29	if ((filelist[i] == range) && (filelist[i + 1] == j)) {
		30	break;
		31	}
		32	--
		33	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch new file mode 100644 index 0000000000..4e45cc7574 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch
@@ -0,0 +1,63 @@
		1	From dd554a2e1e31e6cb75c627c653652696d61e8de8 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Thu, 18 Jul 2024 12:33:31 +0200
		4	Subject: [PATCH] card-coolkey: Check length of buffer before conversion
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15_reader/3
		10
		11	CVE: CVE-2024-45619
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/dd554a2e1e31e6cb75c627c653652696d61e8de8]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/card-coolkey.c \| 11 ++++++++---
		17	1 file changed, 8 insertions(+), 3 deletions(-)
		18
		19	diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
		20	index ff3ffd9a7..e0a5ae774 100644
		21	--- a/src/libopensc/card-coolkey.c
		22	+++ b/src/libopensc/card-coolkey.c
		23	@@ -1684,6 +1684,7 @@ static int coolkey_rsa_op(sc_card_t card, const u8 data, size_t datalen,
		24	u8 key_number;
		25	size_t params_len;
		26	u8 buf[MAX_COMPUTE_BUF + 2];
		27	+ size_t buf_len;
		28	u8 *buf_out;
		29
		30	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
		31	@@ -1724,8 +1725,6 @@ static int coolkey_rsa_op(sc_card_t card, const u8 data, size_t datalen,
		32	ushort2bebytes(params.init.buf_len, 0);
		33	} else {
		34	/* The data fits in APDU. Copy it to the params object */
		35	- size_t buf_len;
		36	-
		37	params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
		38
		39	params_len = sizeof(params.init) + datalen;
		40	@@ -1745,6 +1744,7 @@ static int coolkey_rsa_op(sc_card_t card, const u8 data, size_t datalen,
		41	if (r < 0) {
		42	goto done;
		43	}
		44	+ buf_len = crypt_out_len_p;
		45
		46	if (datalen > MAX_COMPUTE_BUF) {
		47	u8 len_buf[2];
		48	@@ -1763,7 +1763,12 @@ static int coolkey_rsa_op(sc_card_t card, const u8 data, size_t datalen,
		49	priv->nonce, sizeof(priv->nonce));
		50
		51	} else {
		52	- size_t out_length = bebytes2ushort(buf);
		53	+ size_t out_length;
		54	+ if (buf_len < 2) {
		55	+ r = SC_ERROR_WRONG_LENGTH;
		56	+ goto done;
		57	+ }
		58	+ out_length = bebytes2ushort(buf);
		59	if (out_length > sizeof buf - 2) {
		60	r = SC_ERROR_WRONG_LENGTH;
		61	goto done;
		62	--
		63	2.34.1


diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index 641d6a807f..5e840555b0 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -46,6 +46,12 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
46	file://CVE-2024-45617-0003.patch \	46	file://CVE-2024-45617-0003.patch \
47	file://CVE-2024-45618-0001.patch \	47	file://CVE-2024-45618-0001.patch \
48	file://CVE-2024-45618-0002.patch \	48	file://CVE-2024-45618-0002.patch \
		49	file://CVE-2024-45619-0001.patch \
		50	file://CVE-2024-45619-0002.patch \
		51	file://CVE-2024-45619-0003.patch \
		52	file://CVE-2024-45619-0004.patch \
		53	file://CVE-2024-45619-0005.patch \
		54	file://CVE-2024-45619-0006.patch \
49	"	55	"
50		56
51	# CVE-2021-34193 is a duplicate CVE covering the 5 individual	57	# CVE-2021-34193 is a duplicate CVE covering the 5 individual