From c028b3652715600a0bed43314c4f1b53d7e0181e Mon Sep 17 00:00:00 2001
From: Zhang Peng <peng.zhang1.cn@windriver.com>
Date: Wed, 15 Jan 2025 15:24:28 +0800
Subject: opensc: fix CVE-2024-45620

CVE-2024-45620:
A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use
a crafted USB Device or Smart Card, which would present the system with a specially
crafted response to APDUs. When buffers are partially filled with data, initialized
parts of the buffer can be incorrectly accessed.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45620]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
[https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
[https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../opensc/files/CVE-2024-45620-0001.patch         | 42 ++++++++++++++++++
 .../opensc/files/CVE-2024-45620-0002.patch         | 34 +++++++++++++++
 .../opensc/files/CVE-2024-45620-0003.patch         | 50 ++++++++++++++++++++++
 meta-oe/recipes-support/opensc/opensc_0.22.0.bb    |  3 ++
 4 files changed, 129 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
new file mode 100644
index 0000000000..bacf75960b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
@@ -0,0 +1,42 @@
+From a1bcc6516f43d570899820d259b71c53f8049168 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 09:23:20 +0200
+Subject: [PATCH] pkcs15-starcos: Check length of file to be non-zero
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/20
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-starcos.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-starcos.c b/src/pkcs15init/pkcs15-starcos.c
+index bde7413a46..267ad2b04a 100644
+--- a/src/pkcs15init/pkcs15-starcos.c
++++ b/src/pkcs15init/pkcs15-starcos.c
+@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
+ 		return r;
+ 	len = tfile->size;
+ 	sc_file_free(tfile);
++	if (len == 0)
++		return SC_ERROR_INTERNAL;
+ 	buf = malloc(len);
+ 	if (!buf)
+ 		return SC_ERROR_OUT_OF_MEMORY;
+@@ -682,7 +684,7 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
+ 	if (num_keys == 0xff)
+ 		num_keys = 0;
+ 	/* encode public key */
+-	keylen  = starcos_encode_pukey(rsa, NULL, kinfo);
++	keylen = starcos_encode_pukey(rsa, NULL, kinfo);
+ 	if (!keylen) {
+ 		free(buf);
+ 		return SC_ERROR_INTERNAL;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
new file mode 100644
index 0000000000..65d596b92b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
@@ -0,0 +1,34 @@
+From 6baa19596598169d652659863470a60c5ed79ecd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 09:35:23 +0200
+Subject: [PATCH] iasecc-sdo: Check length of data before dereferencing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/21
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/iasecc-sdo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
+index 417b6dd57d..98402a4e3f 100644
+--- a/src/libopensc/iasecc-sdo.c
++++ b/src/libopensc/iasecc-sdo.c
+@@ -729,6 +729,9 @@ iasecc_sdo_parse(struct sc_card *card, unsigned char *data, size_t data_len, str
+
+ 	LOG_FUNC_CALLED(ctx);
+
++	if (data == NULL || data_len < 2)
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch
new file mode 100644
index 0000000000..5bc8805e65
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch
@@ -0,0 +1,50 @@
+From 468a314d76b26f724a551f2eb339dd17c856cf18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 11:03:46 +0200
+Subject: [PATCH] iasecc-sdo: Check length of data when parsing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/27,29
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/iasecc-sdo.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
+index 4d6be7ad4..bdbd5ab17 100644
+--- a/src/libopensc/iasecc-sdo.c
++++ b/src/libopensc/iasecc-sdo.c
+@@ -334,16 +334,25 @@ iasecc_se_parse(struct sc_card *card, unsigned char *data, size_t data_len, stru
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
++	if (data_len < 1)
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+ 
++		if (data_len - 1 < size)
++			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 		data += size_size + 1;
+ 		data_len = size;
+ 		sc_log(ctx,
+ 		       "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u",
+ 		       size, size_size);
+ 
++		if (data_len < 3)
++			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 		if (*data != IASECC_SDO_TAG_HEADER)
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ 
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 5e840555b0..52e29a5d92 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -52,6 +52,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45619-0004.patch \
            file://CVE-2024-45619-0005.patch \
            file://CVE-2024-45619-0006.patch \
+           file://CVE-2024-45620-0001.patch \
+           file://CVE-2024-45620-0002.patch \
+           file://CVE-2024-45620-0003.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
-- 
cgit v1.2.3-54-g00ecf