diff options
author | virendra thakur <virendrak@kpit.com> | 2023-12-22 12:04:58 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-01-16 07:31:14 -0500 |
commit | 60569e5c89bdc65b7ae08065bae02c9b38d8ec80 (patch) | |
tree | 76a40cd576febbaff44499425c0b6b59411d54e9 | |
parent | 23ca2973ff58a6ee17f0f0863a57c573a604316f (diff) | |
download | meta-openembedded-60569e5c89bdc65b7ae08065bae02c9b38d8ec80.tar.gz |
opensc: Fix CVE-2023-40661
Upstream-Status: Backport[https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
8 files changed, 245 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch new file mode 100644 index 000000000..3ecff558c --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7 | ||
2 | From: Jakub Jelen <jjelen@redhat.com> | ||
3 | Date: Thu, 17 Aug 2023 13:54:42 +0200 | ||
4 | Subject: pkcs15: Avoid buffer overflow when getting last update | ||
5 | |||
6 | Thanks oss-fuzz | ||
7 | |||
8 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 | ||
9 | |||
10 | CVE: CVE-2023-40661 | ||
11 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
12 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
13 | Comment: Hunk refreshed based on codebase. | ||
14 | |||
15 | --- | ||
16 | src/libopensc/pkcs15.c | 16 +++++++++------- | ||
17 | 1 file changed, 9 insertions(+), 7 deletions(-) | ||
18 | |||
19 | diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c | ||
20 | index eb7fc6afcd..4215b733a8 100644 | ||
21 | --- a/src/libopensc/pkcs15.c | ||
22 | +++ b/src/libopensc/pkcs15.c | ||
23 | @@ -528,7 +528,7 @@ | ||
24 | struct sc_context *ctx = p15card->card->ctx; | ||
25 | struct sc_file *file = NULL; | ||
26 | struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; | ||
27 | - unsigned char *content, last_update[32]; | ||
28 | + unsigned char *content, last_update[32] = {0}; | ||
29 | size_t lupdate_len = sizeof(last_update) - 1; | ||
30 | int r, content_len; | ||
31 | size_t size; | ||
32 | @@ -564,9 +564,11 @@ | ||
33 | if (r < 0) | ||
34 | return NULL; | ||
35 | |||
36 | - p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); | ||
37 | - if (!p15card->tokeninfo->last_update.gtime) | ||
38 | - return NULL; | ||
39 | + if (asn1_last_update[0].flags & SC_ASN1_PRESENT) { | ||
40 | + p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); | ||
41 | + if (!p15card->tokeninfo->last_update.gtime) | ||
42 | + return NULL; | ||
43 | + } | ||
44 | done: | ||
45 | sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime); | ||
46 | return p15card->tokeninfo->last_update.gtime; | ||
47 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch new file mode 100644 index 000000000..39e729c5a --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651 | ||
2 | From: Jakub Jelen <jjelen@redhat.com> | ||
3 | Date: Thu, 17 Aug 2023 13:41:36 +0200 | ||
4 | Subject: setcos: Avoid buffer underflow | ||
5 | |||
6 | Thanks oss-fuzz | ||
7 | |||
8 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 | ||
9 | CVE: CVE-2023-40661 | ||
10 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
11 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
12 | Comment: Hunk refreshed based on codebase. | ||
13 | --- | ||
14 | src/pkcs15init/pkcs15-setcos.c | 4 ++++ | ||
15 | 1 file changed, 4 insertions(+) | ||
16 | |||
17 | diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c | ||
18 | index 1b56afe6d9..1907b47f9d 100644 | ||
19 | --- a/src/pkcs15init/pkcs15-setcos.c | ||
20 | +++ b/src/pkcs15init/pkcs15-setcos.c | ||
21 | @@ -346,6 +346,10 @@ | ||
22 | |||
23 | /* Replace the path of instantiated key template by the path from the object data. */ | ||
24 | memcpy(&file->path, &key_info->path, sizeof(file->path)); | ||
25 | + if (file->path.len < 2) { | ||
26 | + sc_file_free(file); | ||
27 | + LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path"); | ||
28 | + } | ||
29 | file->id = file->path.value[file->path.len - 2] * 0x100 | ||
30 | + file->path.value[file->path.len - 1]; | ||
31 | |||
32 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch new file mode 100644 index 000000000..7950cf91d --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e | ||
2 | From: Jakub Jelen <jjelen@redhat.com> | ||
3 | Date: Wed, 20 Sep 2023 10:13:57 +0200 | ||
4 | Subject: oberthur: Avoid buffer overflow | ||
5 | |||
6 | Thanks oss-fuzz | ||
7 | |||
8 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 | ||
9 | CVE: CVE-2023-40661 | ||
10 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
11 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
12 | Comment: Hunk refreshed based on codebase. | ||
13 | --- | ||
14 | src/pkcs15init/pkcs15-oberthur.c | 3 +++ | ||
15 | 1 file changed, 3 insertions(+) | ||
16 | |||
17 | diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c | ||
18 | index ad2cabd530..c441ab1e76 100644 | ||
19 | --- a/src/pkcs15init/pkcs15-oberthur.c | ||
20 | +++ b/src/pkcs15init/pkcs15-oberthur.c | ||
21 | @@ -688,6 +688,9 @@ | ||
22 | if (object->type != SC_PKCS15_TYPE_PRKEY_RSA) | ||
23 | LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported"); | ||
24 | |||
25 | + if (key_info->path.len < 2) | ||
26 | + LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long"); | ||
27 | + | ||
28 | sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id)); | ||
29 | /* Here, the path of private key file should be defined. | ||
30 | * Nevertheless, we need to instantiate private key to get the ACLs. */ | ||
31 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch new file mode 100644 index 000000000..797f8ad3b --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch | |||
@@ -0,0 +1,28 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec | ||
2 | From: Frank Morgner <frankmorgner@gmail.com> | ||
3 | Date: Thu, 8 Dec 2022 00:27:18 +0100 | ||
4 | Subject: sc_pkcs15init_rmdir: prevent out of bounds write | ||
5 | |||
6 | fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 | ||
7 | CVE: CVE-2023-40661 | ||
8 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
9 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
10 | Comment: Hunk refreshed based on codebase. | ||
11 | --- | ||
12 | src/pkcs15init/pkcs15-lib.c | 2 ++ | ||
13 | 1 file changed, 2 insertions(+) | ||
14 | |||
15 | diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c | ||
16 | index 91cee37310..3df03c6e1f 100644 | ||
17 | --- a/src/pkcs15init/pkcs15-lib.c | ||
18 | +++ b/src/pkcs15init/pkcs15-lib.c | ||
19 | @@ -666,6 +666,8 @@ | ||
20 | |||
21 | path = df->path; | ||
22 | path.len += 2; | ||
23 | + if (path.len > SC_MAX_PATH_SIZE) | ||
24 | + return SC_ERROR_INTERNAL; | ||
25 | |||
26 | nfids = r / 2; | ||
27 | while (r >= 0 && nfids--) { | ||
28 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch new file mode 100644 index 000000000..e173e6557 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6 | ||
2 | From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> | ||
3 | Date: Mon, 19 Jun 2023 16:14:51 +0200 | ||
4 | Subject: pkcs15-cflex: check path length to prevent underflow | ||
5 | |||
6 | Thanks OSS-Fuzz | ||
7 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 | ||
8 | CVE: CVE-2023-40661 | ||
9 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
10 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
11 | Comment: Hunk refreshed based on codebase. | ||
12 | --- | ||
13 | src/pkcs15init/pkcs15-cflex.c | 3 +++ | ||
14 | 1 file changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c | ||
17 | index d06568073d..ce1d48e62c 100644 | ||
18 | --- a/src/pkcs15init/pkcs15-cflex.c | ||
19 | +++ b/src/pkcs15init/pkcs15-cflex.c | ||
20 | @@ -56,6 +56,9 @@ | ||
21 | int r = 0; | ||
22 | /* Select the parent DF */ | ||
23 | path = df->path; | ||
24 | + if (path.len < 2) { | ||
25 | + return SC_ERROR_INVALID_ARGUMENTS; | ||
26 | + } | ||
27 | path.len -= 2; | ||
28 | r = sc_select_file(p15card->card, &path, &parent); | ||
29 | if (r < 0) | ||
30 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch new file mode 100644 index 000000000..abb524de2 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch | |||
@@ -0,0 +1,30 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 | ||
2 | From: Veronika Hanulikova <xhanulik@fi.muni.cz> | ||
3 | Date: Fri, 10 Feb 2023 11:47:34 +0100 | ||
4 | Subject: Check array bounds | ||
5 | |||
6 | Thanks OSS-Fuzz | ||
7 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 | ||
8 | CVE: CVE-2023-40661 | ||
9 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
10 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
11 | Comment: Hunk refreshed based on codebase. | ||
12 | --- | ||
13 | src/libopensc/muscle.c | 3 +++ | ||
14 | 1 file changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c | ||
17 | index 61a4ec24d8..9d01e0c113 100644 | ||
18 | --- a/src/libopensc/muscle.c | ||
19 | +++ b/src/libopensc/muscle.c | ||
20 | @@ -183,6 +183,9 @@ | ||
21 | sc_apdu_t apdu; | ||
22 | int r; | ||
23 | |||
24 | + if (dataLength + 9 > MSC_MAX_APDU) | ||
25 | + return SC_ERROR_INVALID_ARGUMENTS; | ||
26 | + | ||
27 | sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00); | ||
28 | apdu.lc = dataLength + 9; | ||
29 | if (card->ctx->debug >= 2) | ||
30 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch new file mode 100644 index 000000000..858a996ed --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959 | ||
2 | From: Veronika Hanulikova <xhanulik@fi.muni.cz> | ||
3 | Date: Fri, 3 Mar 2023 16:07:38 +0100 | ||
4 | Subject: Check length of string before making copy | ||
5 | |||
6 | Thanks OSS-Fuzz | ||
7 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 | ||
8 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 | ||
9 | CVE: CVE-2023-40661 | ||
10 | Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] | ||
11 | Signed-off-by: Virendra Thakur <virendrak@kpit.com> | ||
12 | Comment: Hunk refreshed based on codebase. | ||
13 | --- | ||
14 | src/pkcs15init/profile.c | 6 ++++++ | ||
15 | 1 file changed, 6 insertions(+) | ||
16 | |||
17 | diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c | ||
18 | index 2b793b0282..3bad1e8536 100644 | ||
19 | --- a/src/pkcs15init/profile.c | ||
20 | +++ b/src/pkcs15init/profile.c | ||
21 | @@ -1465,6 +1465,8 @@ | ||
22 | while (argc--) { | ||
23 | unsigned int op, method, id; | ||
24 | |||
25 | + if (strlen(*argv) >= sizeof(oper)) | ||
26 | + goto bad; | ||
27 | strlcpy(oper, *argv++, sizeof(oper)); | ||
28 | if ((what = strchr(oper, '=')) == NULL) | ||
29 | goto bad; | ||
30 | @@ -2128,6 +2130,9 @@ | ||
31 | return get_uint(cur, value, type); | ||
32 | } | ||
33 | |||
34 | + if (strlen(value) >= sizeof(temp)) | ||
35 | + return 1; | ||
36 | + | ||
37 | n = strcspn(value, "0123456789x"); | ||
38 | strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp)); | ||
39 | |||
40 | |||
diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb index 3e77b8884..3eb0c1e55 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb | |||
@@ -15,6 +15,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" | |||
15 | SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" | 15 | SRCREV = "45e29056ccde422e70ed3585084a7f150c632515" |
16 | SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ | 16 | SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ |
17 | file://CVE-2023-40660.patch \ | 17 | file://CVE-2023-40660.patch \ |
18 | file://CVE-2023-40661-1.patch \ | ||
19 | file://CVE-2023-40661-2.patch \ | ||
20 | file://CVE-2023-40661-3.patch \ | ||
21 | file://CVE-2023-40661-4.patch \ | ||
22 | file://CVE-2023-40661-5.patch \ | ||
23 | file://CVE-2023-40661-6.patch \ | ||
24 | file://CVE-2023-40661-7.patch \ | ||
18 | " | 25 | " |
19 | DEPENDS = "virtual/libiconv openssl" | 26 | DEPENDS = "virtual/libiconv openssl" |
20 | 27 | ||