opensc: fix CVE-2024-45617

CVE-2024-45617: A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45617] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc] [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc] [https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2025-01-15 15:24:25 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-01-22 19:28:47 -0500
commit: 4fff381a2257edcf6d1119973bc347233dadfdb3 (patch)
tree: 7cba0f7f5f37f92c42a63c9218e695d54d921d7f /meta-oe
parent: cd6d013e47774cf5b3ced01d7279de64af86c0e7 (diff)
download: meta-openembedded-4fff381a2257edcf6d1119973bc347233dadfdb3.tar.gz
4 files changed, 107 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
new file mode 100644
index 0000000000..e750c7b514
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
@@ -0,0 +1,38 @@
+From fdb9e903eb124b6b18a5a9350a26eceb775585bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:05:36 +0200
+Subject: [PATCH]  cac: Check return value when selecting AID
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs11/14
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 4c3bc89bd..f910f64d3 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card, cac_private_data_t *priv, const u8 *ai
+        /* Call without OID set will just select the AID without subsequent
+         * OID selection, which we need to figure out just now
+         */
+-       cac_select_file_by_type(card, &new_object.path, NULL);
+       r = cac_select_file_by_type(card, &new_object.path, NULL);
+       LOG_TEST_RET(card->ctx, r, "Cannot select AID");
+        r = cac_get_properties(card, &prop);
+-       if (r < 0)
+-               return SC_ERROR_INTERNAL;
+       LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
+ 
+        for (i = 0; i < prop.num_objects; i++) {
+                /* don't fail just because we have more certs than we can support */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
new file mode 100644
index 0000000000..617f95d45e
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
@@ -0,0 +1,33 @@
+From 21d869b77792b6f189eebf373e399747177d99e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:29:01 +0200
+Subject: [PATCH] cardos: Return error when response length is 0
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs11/18
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cardos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 9906f6c72..6f10943a5 100644
+--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
+@@ -1278,7 +1278,7 @@ cardos_lifecycle_get(sc_card_t *card, int *mode)
+        LOG_TEST_RET(card->ctx, r, "Card returned error");
+ 
+        if (apdu.resplen < 1) {
+-               LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
+               LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response");
+        }
+ 
+        r = SC_SUCCESS;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
new file mode 100644
index 0000000000..cfb16b31bf
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
@@ -0,0 +1,33 @@
+From efbc14ffa190e3e0ceecceb479024bb778b0ab68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 10:39:52 +0200
+Subject: [PATCH] card-jpki: Check number of read bytes
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+fuzz_pkcs15_encode/18
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-jpki.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/libopensc/card-jpki.c b/src/libopensc/card-jpki.c
+index 6e4d0f3165..71339491d1 100644
+--- a/src/libopensc/card-jpki.c
+++ b/src/libopensc/card-jpki.c
+@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
+                u8 buf[4];
+                rc = sc_read_binary(card, 0, buf, 4, 0);
+                LOG_TEST_RET(card->ctx, rc, "SW Check failed");
+               if (rc < 4)
+                       LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short");
+                file = sc_file_new();
+                if (!file) {
+                        LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index ec01496709..89e2e0d5a5 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -41,6 +41,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2024-45616-0008.patch \
           file://CVE-2024-45616-0009.patch \
           file://CVE-2024-45616-0010.patch \
+           file://CVE-2024-45617-0001.patch \
+           file://CVE-2024-45617-0002.patch \
+           file://CVE-2024-45617-0003.patch \
          "
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2025-01-15 15:24:25 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-01-22 19:28:47 -0500
commit	4fff381a2257edcf6d1119973bc347233dadfdb3 (patch)
tree	7cba0f7f5f37f92c42a63c9218e695d54d921d7f /meta-oe
parent	cd6d013e47774cf5b3ced01d7279de64af86c0e7 (diff)
download	meta-openembedded-4fff381a2257edcf6d1119973bc347233dadfdb3.tar.gz

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch new file mode 100644 index 0000000000..e750c7b514 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
@@ -0,0 +1,38 @@
		1	From fdb9e903eb124b6b18a5a9350a26eceb775585bc Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Tue, 16 Jul 2024 14:05:36 +0200
		4	Subject: [PATCH] cac: Check return value when selecting AID
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs11/14
		10
		11	CVE: CVE-2024-45617
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/card-cac.c \| 6 +++---
		17	1 file changed, 3 insertions(+), 3 deletions(-)
		18
		19	diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
		20	index 4c3bc89bd..f910f64d3 100644
		21	--- a/src/libopensc/card-cac.c
		22	+++ b/src/libopensc/card-cac.c
		23	@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t card, cac_private_data_t priv, const u8 *ai
		24	/* Call without OID set will just select the AID without subsequent
		25	* OID selection, which we need to figure out just now
		26	*/
		27	- cac_select_file_by_type(card, &new_object.path, NULL);
		28	+ r = cac_select_file_by_type(card, &new_object.path, NULL);
		29	+ LOG_TEST_RET(card->ctx, r, "Cannot select AID");
		30	r = cac_get_properties(card, &prop);
		31	- if (r < 0)
		32	- return SC_ERROR_INTERNAL;
		33	+ LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
		34
		35	for (i = 0; i < prop.num_objects; i++) {
		36	/* don't fail just because we have more certs than we can support */
		37	--
		38	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch new file mode 100644 index 0000000000..617f95d45e --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
@@ -0,0 +1,33 @@
		1	From 21d869b77792b6f189eebf373e399747177d99e2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Tue, 16 Jul 2024 14:29:01 +0200
		4	Subject: [PATCH] cardos: Return error when response length is 0
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs11/18
		10
		11	CVE: CVE-2024-45617
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/card-cardos.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
		20	index 9906f6c72..6f10943a5 100644
		21	--- a/src/libopensc/card-cardos.c
		22	+++ b/src/libopensc/card-cardos.c
		23	@@ -1278,7 +1278,7 @@ cardos_lifecycle_get(sc_card_t card, int mode)
		24	LOG_TEST_RET(card->ctx, r, "Card returned error");
		25
		26	if (apdu.resplen < 1) {
		27	- LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
		28	+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response");
		29	}
		30
		31	r = SC_SUCCESS;
		32	--
		33	2.34.1


diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch new file mode 100644 index 0000000000..cfb16b31bf --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
@@ -0,0 +1,33 @@
		1	From efbc14ffa190e3e0ceecceb479024bb778b0ab68 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
		3	Date: Wed, 17 Jul 2024 10:39:52 +0200
		4	Subject: [PATCH] card-jpki: Check number of read bytes
		5
		6	Thanks Matteo Marini for report
		7	https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
		8
		9	fuzz_pkcs15_encode/18
		10
		11	CVE: CVE-2024-45617
		12	Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]
		13
		14	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		15	---
		16	src/libopensc/card-jpki.c \| 2 ++
		17	1 file changed, 2 insertions(+)
		18
		19	diff --git a/src/libopensc/card-jpki.c b/src/libopensc/card-jpki.c
		20	index 6e4d0f3165..71339491d1 100644
		21	--- a/src/libopensc/card-jpki.c
		22	+++ b/src/libopensc/card-jpki.c
		23	@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
		24	u8 buf[4];
		25	rc = sc_read_binary(card, 0, buf, 4, 0);
		26	LOG_TEST_RET(card->ctx, rc, "SW Check failed");
		27	+ if (rc < 4)
		28	+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short");
		29	file = sc_file_new();
		30	if (!file) {
		31	LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
		32	--
		33	2.34.1


diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index ec01496709..89e2e0d5a5 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -41,6 +41,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
41	file://CVE-2024-45616-0008.patch \	41	file://CVE-2024-45616-0008.patch \
42	file://CVE-2024-45616-0009.patch \	42	file://CVE-2024-45616-0009.patch \
43	file://CVE-2024-45616-0010.patch \	43	file://CVE-2024-45616-0010.patch \
		44	file://CVE-2024-45617-0001.patch \
		45	file://CVE-2024-45617-0002.patch \
		46	file://CVE-2024-45617-0003.patch \
44	"	47	"
45		48
46	# CVE-2021-34193 is a duplicate CVE covering the 5 individual	49	# CVE-2021-34193 is a duplicate CVE covering the 5 individual