opensc: Fix CVE-2023-40661

Upstream-Status: Backport[https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50] Signed-off-by: virendra thakur <virendrak@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: virendra thakur <virendrak@kpit.com> 2023-12-22 12:04:58 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-01-16 07:31:14 -0500
commit: 60569e5c89bdc65b7ae08065bae02c9b38d8ec80 (patch)
tree: 76a40cd576febbaff44499425c0b6b59411d54e9
parent: 23ca2973ff58a6ee17f0f0863a57c573a604316f (diff)
download: meta-openembedded-60569e5c89bdc65b7ae08065bae02c9b38d8ec80.tar.gz
8 files changed, 245 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch
new file mode 100644
index 000000000..3ecff558c
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch
@@ -0,0 +1,47 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 13:54:42 +0200
+Subject: pkcs15: Avoid buffer overflow when getting last update
+Thanks oss-fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/libopensc/pkcs15.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c
+index eb7fc6afcd..4215b733a8 100644
+--- a/src/libopensc/pkcs15.c
+++ b/src/libopensc/pkcs15.c
+@@ -528,7 +528,7 @@
+        struct sc_context *ctx  = p15card->card->ctx;
+        struct sc_file *file = NULL;
+        struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
+-       unsigned char *content, last_update[32];
+        unsigned char *content, last_update[32] = {0};
+        size_t lupdate_len = sizeof(last_update) - 1;
+        int r, content_len;
+        size_t size;
+@@ -564,9 +564,11 @@
+        if (r < 0)
+                return NULL;
+ 
+-       p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
+-       if (!p15card->tokeninfo->last_update.gtime)
+-               return NULL;
+        if (asn1_last_update[0].flags & SC_ASN1_PRESENT) {
+                p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
+                if (!p15card->tokeninfo->last_update.gtime)
+                        return NULL;
+        }
+ done:
+        sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime);
+        return p15card->tokeninfo->last_update.gtime;
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch
new file mode 100644
index 000000000..39e729c5a
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch
@@ -0,0 +1,32 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 13:41:36 +0200
+Subject: setcos: Avoid buffer underflow
+Thanks oss-fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/pkcs15init/pkcs15-setcos.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c
+index 1b56afe6d9..1907b47f9d 100644
+--- a/src/pkcs15init/pkcs15-setcos.c
+++ b/src/pkcs15init/pkcs15-setcos.c
+@@ -346,6 +346,10 @@
+ 
+        /* Replace the path of instantiated key template by the path from the object data. */
+         memcpy(&file->path, &key_info->path, sizeof(file->path));
+       if (file->path.len < 2) {
+               sc_file_free(file);
+               LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path");
+       }
+         file->id = file->path.value[file->path.len - 2] * 0x100
+                + file->path.value[file->path.len - 1];
+ 
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch
new file mode 100644
index 000000000..7950cf91d
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch
@@ -0,0 +1,31 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 20 Sep 2023 10:13:57 +0200
+Subject: oberthur: Avoid buffer overflow
+Thanks oss-fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/pkcs15init/pkcs15-oberthur.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c
+index ad2cabd530..c441ab1e76 100644
+--- a/src/pkcs15init/pkcs15-oberthur.c
+++ b/src/pkcs15init/pkcs15-oberthur.c
+@@ -688,6 +688,9 @@
+        if (object->type != SC_PKCS15_TYPE_PRKEY_RSA)
+                LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported");
+ 
+       if (key_info->path.len < 2)
+               LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long");
+
+        sc_log(ctx,  "create private key ID:%s",  sc_pkcs15_print_id(&key_info->id));
+        /* Here, the path of private key file should be defined.
+         * Nevertheless, we need to instantiate private key to get the ACLs. */
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch
new file mode 100644
index 000000000..797f8ad3b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch
@@ -0,0 +1,28 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 8 Dec 2022 00:27:18 +0100
+Subject: sc_pkcs15init_rmdir: prevent out of bounds write
+fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/pkcs15init/pkcs15-lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 91cee37310..3df03c6e1f 100644
+--- a/src/pkcs15init/pkcs15-lib.c
+++ b/src/pkcs15init/pkcs15-lib.c
+@@ -666,6 +666,8 @@
+ 
+                path = df->path;
+                path.len += 2;
+               if (path.len > SC_MAX_PATH_SIZE)
+                       return SC_ERROR_INTERNAL;
+ 
+                nfids = r / 2;
+                while (r >= 0 && nfids--) {
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch
new file mode 100644
index 000000000..e173e6557
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch
@@ -0,0 +1,30 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Mon, 19 Jun 2023 16:14:51 +0200
+Subject: pkcs15-cflex: check path length to prevent underflow
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/pkcs15init/pkcs15-cflex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c
+index d06568073d..ce1d48e62c 100644
+--- a/src/pkcs15init/pkcs15-cflex.c
+++ b/src/pkcs15init/pkcs15-cflex.c
+@@ -56,6 +56,9 @@
+         int             r = 0;
+         /* Select the parent DF */
+         path = df->path;
+               if (path.len < 2) {
+                       return SC_ERROR_INVALID_ARGUMENTS;
+               }
+         path.len -= 2;
+         r = sc_select_file(p15card->card, &path, &parent);
+         if (r < 0)
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch
new file mode 100644
index 000000000..abb524de2
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch
@@ -0,0 +1,30 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1
+From: Veronika Hanulikova <xhanulik@fi.muni.cz>
+Date: Fri, 10 Feb 2023 11:47:34 +0100
+Subject: Check array bounds
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/libopensc/muscle.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c
+index 61a4ec24d8..9d01e0c113 100644
+--- a/src/libopensc/muscle.c
+++ b/src/libopensc/muscle.c
+@@ -183,6 +183,9 @@
+        sc_apdu_t apdu;
+        int r;
+ 
+       if (dataLength + 9 > MSC_MAX_APDU)
+               return SC_ERROR_INVALID_ARGUMENTS;
+
+        sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00);
+        apdu.lc = dataLength + 9;
+        if (card->ctx->debug >= 2)
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch
new file mode 100644
index 000000000..858a996ed
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch
@@ -0,0 +1,40 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959
+From: Veronika Hanulikova <xhanulik@fi.muni.cz>
+Date: Fri, 3 Mar 2023 16:07:38 +0100
+Subject: Check length of string before making copy
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
+CVE: CVE-2023-40661
+Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
+Signed-off-by: Virendra Thakur <virendrak@kpit.com>
+Comment: Hunk refreshed based on codebase.
+---
+ src/pkcs15init/profile.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
+index 2b793b0282..3bad1e8536 100644
+--- a/src/pkcs15init/profile.c
+++ b/src/pkcs15init/profile.c
+@@ -1465,6 +1465,8 @@
+        while (argc--) {
+                unsigned int    op, method, id;
+ 
+               if (strlen(*argv) >= sizeof(oper))
+                       goto bad;
+                strlcpy(oper, *argv++, sizeof(oper));
+                if ((what = strchr(oper, '=')) == NULL)
+                        goto bad;
+@@ -2128,6 +2130,9 @@
+                return get_uint(cur, value, type);
+        }
+ 
+       if (strlen(value) >= sizeof(temp))
+               return 1;
+
+        n = strcspn(value, "0123456789x");
+        strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp));
+ 
diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
index 3e77b8884..3eb0c1e55 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
@@ -15,6 +15,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
 SRCREV = "45e29056ccde422e70ed3585084a7f150c632515"
 SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2023-40660.patch \
+           file://CVE-2023-40661-1.patch \
+           file://CVE-2023-40661-2.patch \
+           file://CVE-2023-40661-3.patch \
+           file://CVE-2023-40661-4.patch \
+           file://CVE-2023-40661-5.patch \
+           file://CVE-2023-40661-6.patch \
+           file://CVE-2023-40661-7.patch \
          "
 DEPENDS = "virtual/libiconv openssl"
author	virendra thakur <virendrak@kpit.com>	2023-12-22 12:04:58 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-01-16 07:31:14 -0500
commit	60569e5c89bdc65b7ae08065bae02c9b38d8ec80 (patch)
tree	76a40cd576febbaff44499425c0b6b59411d54e9
parent	23ca2973ff58a6ee17f0f0863a57c573a604316f (diff)
download	meta-openembedded-60569e5c89bdc65b7ae08065bae02c9b38d8ec80.tar.gz

diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch new file mode 100644 index 000000000..3ecff558c --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-1.patch
@@ -0,0 +1,47 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Thu, 17 Aug 2023 13:54:42 +0200
		4	Subject: pkcs15: Avoid buffer overflow when getting last update
		5
		6	Thanks oss-fuzz
		7
		8	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
		9
		10	CVE: CVE-2023-40661
		11	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		12	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		13	Comment: Hunk refreshed based on codebase.
		14
		15	---
		16	src/libopensc/pkcs15.c \| 16 +++++++++-------
		17	1 file changed, 9 insertions(+), 7 deletions(-)
		18
		19	diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c
		20	index eb7fc6afcd..4215b733a8 100644
		21	--- a/src/libopensc/pkcs15.c
		22	+++ b/src/libopensc/pkcs15.c
		23	@@ -528,7 +528,7 @@
		24	struct sc_context *ctx = p15card->card->ctx;
		25	struct sc_file *file = NULL;
		26	struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
		27	- unsigned char *content, last_update[32];
		28	+ unsigned char *content, last_update[32] = {0};
		29	size_t lupdate_len = sizeof(last_update) - 1;
		30	int r, content_len;
		31	size_t size;
		32	@@ -564,9 +564,11 @@
		33	if (r < 0)
		34	return NULL;
		35
		36	- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
		37	- if (!p15card->tokeninfo->last_update.gtime)
		38	- return NULL;
		39	+ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) {
		40	+ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
		41	+ if (!p15card->tokeninfo->last_update.gtime)
		42	+ return NULL;
		43	+ }
		44	done:
		45	sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime);
		46	return p15card->tokeninfo->last_update.gtime;
		47


diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch new file mode 100644 index 000000000..39e729c5a --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-2.patch
@@ -0,0 +1,32 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Thu, 17 Aug 2023 13:41:36 +0200
		4	Subject: setcos: Avoid buffer underflow
		5
		6	Thanks oss-fuzz
		7
		8	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672
		9	CVE: CVE-2023-40661
		10	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		11	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		12	Comment: Hunk refreshed based on codebase.
		13	---
		14	src/pkcs15init/pkcs15-setcos.c \| 4 ++++
		15	1 file changed, 4 insertions(+)
		16
		17	diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c
		18	index 1b56afe6d9..1907b47f9d 100644
		19	--- a/src/pkcs15init/pkcs15-setcos.c
		20	+++ b/src/pkcs15init/pkcs15-setcos.c
		21	@@ -346,6 +346,10 @@
		22
		23	/* Replace the path of instantiated key template by the path from the object data. */
		24	memcpy(&file->path, &key_info->path, sizeof(file->path));
		25	+ if (file->path.len < 2) {
		26	+ sc_file_free(file);
		27	+ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path");
		28	+ }
		29	file->id = file->path.value[file->path.len - 2] * 0x100
		30	+ file->path.value[file->path.len - 1];
		31
		32


diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch new file mode 100644 index 000000000..7950cf91d --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-3.patch
@@ -0,0 +1,31 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e
		2	From: Jakub Jelen <jjelen@redhat.com>
		3	Date: Wed, 20 Sep 2023 10:13:57 +0200
		4	Subject: oberthur: Avoid buffer overflow
		5
		6	Thanks oss-fuzz
		7
		8	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
		9	CVE: CVE-2023-40661
		10	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		11	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		12	Comment: Hunk refreshed based on codebase.
		13	---
		14	src/pkcs15init/pkcs15-oberthur.c \| 3 +++
		15	1 file changed, 3 insertions(+)
		16
		17	diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c
		18	index ad2cabd530..c441ab1e76 100644
		19	--- a/src/pkcs15init/pkcs15-oberthur.c
		20	+++ b/src/pkcs15init/pkcs15-oberthur.c
		21	@@ -688,6 +688,9 @@
		22	if (object->type != SC_PKCS15_TYPE_PRKEY_RSA)
		23	LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported");
		24
		25	+ if (key_info->path.len < 2)
		26	+ LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long");
		27	+
		28	sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id));
		29	/* Here, the path of private key file should be defined.
		30	* Nevertheless, we need to instantiate private key to get the ACLs. */
		31


diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch new file mode 100644 index 000000000..797f8ad3b --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-4.patch
@@ -0,0 +1,28 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec
		2	From: Frank Morgner <frankmorgner@gmail.com>
		3	Date: Thu, 8 Dec 2022 00:27:18 +0100
		4	Subject: sc_pkcs15init_rmdir: prevent out of bounds write
		5
		6	fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927
		7	CVE: CVE-2023-40661
		8	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		9	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		10	Comment: Hunk refreshed based on codebase.
		11	---
		12	src/pkcs15init/pkcs15-lib.c \| 2 ++
		13	1 file changed, 2 insertions(+)
		14
		15	diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
		16	index 91cee37310..3df03c6e1f 100644
		17	--- a/src/pkcs15init/pkcs15-lib.c
		18	+++ b/src/pkcs15init/pkcs15-lib.c
		19	@@ -666,6 +666,8 @@
		20
		21	path = df->path;
		22	path.len += 2;
		23	+ if (path.len > SC_MAX_PATH_SIZE)
		24	+ return SC_ERROR_INTERNAL;
		25
		26	nfids = r / 2;
		27	while (r >= 0 && nfids--) {
		28


diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch new file mode 100644 index 000000000..e173e6557 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-5.patch
@@ -0,0 +1,30 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Mon, 19 Jun 2023 16:14:51 +0200
		4	Subject: pkcs15-cflex: check path length to prevent underflow
		5
		6	Thanks OSS-Fuzz
		7	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932
		8	CVE: CVE-2023-40661
		9	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		10	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		11	Comment: Hunk refreshed based on codebase.
		12	---
		13	src/pkcs15init/pkcs15-cflex.c \| 3 +++
		14	1 file changed, 3 insertions(+)
		15
		16	diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c
		17	index d06568073d..ce1d48e62c 100644
		18	--- a/src/pkcs15init/pkcs15-cflex.c
		19	+++ b/src/pkcs15init/pkcs15-cflex.c
		20	@@ -56,6 +56,9 @@
		21	int r = 0;
		22	/* Select the parent DF */
		23	path = df->path;
		24	+ if (path.len < 2) {
		25	+ return SC_ERROR_INVALID_ARGUMENTS;
		26	+ }
		27	path.len -= 2;
		28	r = sc_select_file(p15card->card, &path, &parent);
		29	if (r < 0)
		30


diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch new file mode 100644 index 000000000..abb524de2 --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-6.patch
@@ -0,0 +1,30 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1
		2	From: Veronika Hanulikova <xhanulik@fi.muni.cz>
		3	Date: Fri, 10 Feb 2023 11:47:34 +0100
		4	Subject: Check array bounds
		5
		6	Thanks OSS-Fuzz
		7	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312
		8	CVE: CVE-2023-40661
		9	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		10	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		11	Comment: Hunk refreshed based on codebase.
		12	---
		13	src/libopensc/muscle.c \| 3 +++
		14	1 file changed, 3 insertions(+)
		15
		16	diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c
		17	index 61a4ec24d8..9d01e0c113 100644
		18	--- a/src/libopensc/muscle.c
		19	+++ b/src/libopensc/muscle.c
		20	@@ -183,6 +183,9 @@
		21	sc_apdu_t apdu;
		22	int r;
		23
		24	+ if (dataLength + 9 > MSC_MAX_APDU)
		25	+ return SC_ERROR_INVALID_ARGUMENTS;
		26	+
		27	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00);
		28	apdu.lc = dataLength + 9;
		29	if (card->ctx->debug >= 2)
		30


diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch new file mode 100644 index 000000000..858a996ed --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2023-40661-7.patch
@@ -0,0 +1,40 @@
		1	Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959
		2	From: Veronika Hanulikova <xhanulik@fi.muni.cz>
		3	Date: Fri, 3 Mar 2023 16:07:38 +0100
		4	Subject: Check length of string before making copy
		5
		6	Thanks OSS-Fuzz
		7	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
		8	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
		9	CVE: CVE-2023-40661
		10	Upstream-Status: Backport [https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50]
		11	Signed-off-by: Virendra Thakur <virendrak@kpit.com>
		12	Comment: Hunk refreshed based on codebase.
		13	---
		14	src/pkcs15init/profile.c \| 6 ++++++
		15	1 file changed, 6 insertions(+)
		16
		17	diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
		18	index 2b793b0282..3bad1e8536 100644
		19	--- a/src/pkcs15init/profile.c
		20	+++ b/src/pkcs15init/profile.c
		21	@@ -1465,6 +1465,8 @@
		22	while (argc--) {
		23	unsigned int op, method, id;
		24
		25	+ if (strlen(*argv) >= sizeof(oper))
		26	+ goto bad;
		27	strlcpy(oper, *argv++, sizeof(oper));
		28	if ((what = strchr(oper, '=')) == NULL)
		29	goto bad;
		30	@@ -2128,6 +2130,9 @@
		31	return get_uint(cur, value, type);
		32	}
		33
		34	+ if (strlen(value) >= sizeof(temp))
		35	+ return 1;
		36	+
		37	n = strcspn(value, "0123456789x");
		38	strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp));
		39
		40


diff --git a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb index 3e77b8884..3eb0c1e55 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.20.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.20.0.bb
@@ -15,6 +15,13 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
15	SRCREV = "45e29056ccde422e70ed3585084a7f150c632515"	15	SRCREV = "45e29056ccde422e70ed3585084a7f150c632515"
16	SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \	16	SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
17	file://CVE-2023-40660.patch \	17	file://CVE-2023-40660.patch \
		18	file://CVE-2023-40661-1.patch \
		19	file://CVE-2023-40661-2.patch \
		20	file://CVE-2023-40661-3.patch \
		21	file://CVE-2023-40661-4.patch \
		22	file://CVE-2023-40661-5.patch \
		23	file://CVE-2023-40661-6.patch \
		24	file://CVE-2023-40661-7.patch \
18	"	25	"
19	DEPENDS = "virtual/libiconv openssl"	26	DEPENDS = "virtual/libiconv openssl"
20		27