diff options
author | Zhang Peng <peng.zhang1.cn@windriver.com> | 2025-01-16 21:45:01 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2025-01-20 19:45:27 -0500 |
commit | f8840edf8c474ea410744f92624da66dcac9e816 (patch) | |
tree | 7ef3ab08dff92e605201903134e5c6f7796dfdcf | |
parent | c4d91d1673023ab0a6f445822c506672969e5f81 (diff) | |
download | meta-openembedded-f8840edf8c474ea410744f92624da66dcac9e816.tar.gz |
opensc: fix CVE-2024-8443
CVE-2024-8443:
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable
to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all
versions up to, and including, 1.1.0 due to insufficient input sanitization and output
escaping. This makes it possible for authenticated attackers, with subscriber-level
access and above, to inject arbitrary web scripts in pages that will execute whenever
a user accesses an injected page. Please note that this was partially fixed in 1.1.0
due to the missing authorization protection that was added.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-8433]
Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
[https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
3 files changed, 117 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch new file mode 100644 index 0000000000..7d80aba769 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | From b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc Mon Sep 17 00:00:00 2001 | ||
2 | From: Jakub Jelen <jjelen@redhat.com> | ||
3 | Date: Mon, 12 Aug 2024 19:02:14 +0200 | ||
4 | Subject: [PATCH] openpgp: Do not accept non-matching key responses | ||
5 | |||
6 | When generating RSA key pair using PKCS#15 init, the driver could accept | ||
7 | responses relevant to ECC keys, which made further processing in the | ||
8 | pkcs15-init failing/accessing invalid parts of structures. | ||
9 | |||
10 | Thanks oss-fuzz! | ||
11 | |||
12 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010 | ||
13 | |||
14 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
15 | |||
16 | CVE: CVE-2024-8443 | ||
17 | Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc] | ||
18 | |||
19 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
20 | --- | ||
21 | src/libopensc/card-openpgp.c | 10 ++++++++++ | ||
22 | 1 file changed, 10 insertions(+) | ||
23 | |||
24 | diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c | ||
25 | index fad32f0ce..f99ec0db9 100644 | ||
26 | --- a/src/libopensc/card-openpgp.c | ||
27 | +++ b/src/libopensc/card-openpgp.c | ||
28 | @@ -2877,6 +2877,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len, | ||
29 | |||
30 | /* RSA modulus */ | ||
31 | if (tag == 0x0081) { | ||
32 | + if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) { | ||
33 | + LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); | ||
34 | + } | ||
35 | if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len) /* modulus_len is in bits */ | ||
36 | || key_info->u.rsa.modulus == NULL) { | ||
37 | |||
38 | @@ -2892,6 +2895,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len, | ||
39 | } | ||
40 | /* RSA public exponent */ | ||
41 | else if (tag == 0x0082) { | ||
42 | + if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) { | ||
43 | + LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); | ||
44 | + } | ||
45 | if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len) /* exponent_len is in bits */ | ||
46 | || key_info->u.rsa.exponent == NULL) { | ||
47 | |||
48 | @@ -2907,6 +2913,10 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len, | ||
49 | } | ||
50 | /* ECC public key */ | ||
51 | else if (tag == 0x0086) { | ||
52 | + if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA && | ||
53 | + key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) { | ||
54 | + LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); | ||
55 | + } | ||
56 | /* set the output data */ | ||
57 | /* len is ecpoint length + format byte | ||
58 | * see section 7.2.14 of 3.3.1 specs */ | ||
59 | -- | ||
60 | 2.34.1 | ||
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch new file mode 100644 index 0000000000..30a7e63a72 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001 | ||
2 | From: Jakub Jelen <jjelen@redhat.com> | ||
3 | Date: Thu, 15 Aug 2024 11:13:47 +0200 | ||
4 | Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint | ||
5 | |||
6 | Fix also surrounding code to return error (not just log it) | ||
7 | when some step fails. | ||
8 | |||
9 | Thanks oss-fuzz | ||
10 | |||
11 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933 | ||
12 | |||
13 | Signed-off-by: Jakub Jelen <jjelen@redhat.com> | ||
14 | |||
15 | CVE: CVE-2024-8443 | ||
16 | Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e] | ||
17 | |||
18 | Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> | ||
19 | --- | ||
20 | src/libopensc/card-openpgp.c | 17 ++++++++++++----- | ||
21 | 1 file changed, 12 insertions(+), 5 deletions(-) | ||
22 | |||
23 | diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c | ||
24 | index f99ec0db9..3957440de 100644 | ||
25 | --- a/src/libopensc/card-openpgp.c | ||
26 | +++ b/src/libopensc/card-openpgp.c | ||
27 | @@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime, | ||
28 | /* update the blob containing fingerprints (00C5) */ | ||
29 | sc_log(card->ctx, "Updating fingerprint blob 00C5."); | ||
30 | fpseq_blob = pgp_find_blob(card, 0x00C5); | ||
31 | - if (fpseq_blob == NULL) | ||
32 | - LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5"); | ||
33 | + if (fpseq_blob == NULL) { | ||
34 | + r = SC_ERROR_OUT_OF_MEMORY; | ||
35 | + LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5"); | ||
36 | + } | ||
37 | + if (20 * key_info->key_id > fpseq_blob->len) { | ||
38 | + r = SC_ERROR_OBJECT_NOT_VALID; | ||
39 | + LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough"); | ||
40 | + } | ||
41 | |||
42 | /* save the fingerprints sequence */ | ||
43 | newdata = malloc(fpseq_blob->len); | ||
44 | - if (newdata == NULL) | ||
45 | - LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, | ||
46 | - "Not enough memory to update fingerprint blob 00C5"); | ||
47 | + if (newdata == NULL) { | ||
48 | + r = SC_ERROR_OUT_OF_MEMORY; | ||
49 | + LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5"); | ||
50 | + } | ||
51 | |||
52 | memcpy(newdata, fpseq_blob->data, fpseq_blob->len); | ||
53 | /* move p to the portion holding the fingerprint of the current key */ | ||
54 | -- | ||
55 | 2.34.1 | ||
diff --git a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb index 74738247b4..e41c457fa8 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.25.1.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.25.1.bb | |||
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=cb8aedd3bced19bd8026d96a8b6876d7" | |||
15 | SRCREV = "0a4b772d6fdab9bfaaa3123775a48a7cb6c5e7c6" | 15 | SRCREV = "0a4b772d6fdab9bfaaa3123775a48a7cb6c5e7c6" |
16 | SRC_URI = "git://github.com/OpenSC/OpenSC;branch=stable-0.25;protocol=https \ | 16 | SRC_URI = "git://github.com/OpenSC/OpenSC;branch=stable-0.25;protocol=https \ |
17 | file://0001-PR-Fixes-for-uninitialized-memory-issues.patch \ | 17 | file://0001-PR-Fixes-for-uninitialized-memory-issues.patch \ |
18 | file://CVE-2024-8443-0001.patch \ | ||
19 | file://CVE-2024-8443-0002.patch \ | ||
18 | " | 20 | " |
19 | DEPENDS = "virtual/libiconv openssl" | 21 | DEPENDS = "virtual/libiconv openssl" |
20 | 22 | ||