Package: opensc Version: 0.11.13-1 Severity: grave Tags: patch security Justification: user security hole User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu natty ubuntu-patch
In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: specially crafted cards may be able to execute code. - debian/patches/min-max.patch: Add MIN and MAX macros for last patch - debian/patches/buffer-overflow.patch: Fix potential buffer overflow by rogue cards. (LP: #692483) This is upstream changesets: https://www.opensc-project.org/opensc/changeset/4912 https://www.opensc-project.org/opensc/changeset/4913 This was originally submitted as an Ubuntu bug in: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483 This does not currently have a CVE assigned. Thanks for considering the patch. -- System Information: Debian Release: squeeze/sid APT prefers natty-updates APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-10-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru opensc-0.11.13/debian/changelog opensc-0.11.13/debian/changelog diff -Nru opensc-0.11.13/debian/patches/buffer-overflow.patch opensc-0.11.13/debian/patches/buffer-overflow.patch --- opensc-0.11.13/debian/patches/buffer-overflow.patch 1969-12-31 18:00:00.000000000 -0600 +++ opensc-0.11.13/debian/patches/buffer-overflow.patch 2010-12-21 08:02:31.000000000 -0600 @@ -0,0 +1,48 @@ +## Description: Fix buffer overflow +## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4913 +## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483 +Index: opensc-0.11.13/src/libopensc/card-acos5.c +=================================================================== +--- opensc-0.11.13.orig/src/libopensc/card-acos5.c 2010-12-21 09:50:31.963758002 +0100 ++++ opensc-0.11.13/src/libopensc/card-acos5.c 2010-12-21 09:50:28.265608001 +0100 +@@ -140,8 +140,8 @@ + /* + * Cache serial number. + */ +- memcpy(card->serialnr.value, apdu.resp, apdu.resplen); +- card->serialnr.len = apdu.resplen; ++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); ++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); + + /* + * Copy and return serial number. +Index: opensc-0.11.13/src/libopensc/card-atrust-acos.c +=================================================================== +--- opensc-0.11.13.orig/src/libopensc/card-atrust-acos.c 2010-12-21 09:50:31.903788002 +0100 ++++ opensc-0.11.13/src/libopensc/card-atrust-acos.c 2010-12-21 09:50:28.265608001 +0100 +@@ -853,8 +853,8 @@ + if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) + return SC_ERROR_INTERNAL; + /* cache serial number */ +- memcpy(card->serialnr.value, apdu.resp, apdu.resplen); +- card->serialnr.len = apdu.resplen; ++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); ++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); + /* copy and return serial number */ + memcpy(serial, &card->serialnr, sizeof(*serial)); + return SC_SUCCESS; +Index: opensc-0.11.13/src/libopensc/card-starcos.c +=================================================================== +--- opensc-0.11.13.orig/src/libopensc/card-starcos.c 2010-12-21 09:50:32.043718002 +0100 ++++ opensc-0.11.13/src/libopensc/card-starcos.c 2010-12-21 09:50:28.265608001 +0100 +@@ -1289,8 +1289,8 @@ + if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) + return SC_ERROR_INTERNAL; + /* cache serial number */ +- memcpy(card->serialnr.value, apdu.resp, apdu.resplen); +- card->serialnr.len = apdu.resplen; ++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); ++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); + /* copy and return serial number */ + memcpy(serial, &card->serialnr, sizeof(*serial)); + return SC_SUCCESS; diff -Nru opensc-0.11.13/debian/patches/min-max.patch opensc-0.11.13/debian/patches/min-max.patch --- opensc-0.11.13/debian/patches/min-max.patch 1969-12-31 18:00:00.000000000 -0600 +++ opensc-0.11.13/debian/patches/min-max.patch 2010-12-21 08:02:31.000000000 -0600 @@ -0,0 +1,39 @@ +## Description: Add MIN and MAX macros for buffer overflow patch +## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4912 +## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483 +Index: opensc-0.11.13/src/libopensc/internal.h +=================================================================== +--- opensc-0.11.13.orig/src/libopensc/internal.h 2010-12-21 09:51:32.763343000 +0100 ++++ opensc-0.11.13/src/libopensc/internal.h 2010-12-21 09:51:29.894778002 +0100 +@@ -48,6 +48,13 @@ + #else + #define msleep(t) Sleep(t) + #define sleep(t) Sleep((t) * 1000) ++#endif ++ ++#ifndef MAX ++#define MAX(x, y) (((x) > (y)) ? (x) : (y)) ++#endif ++#ifndef MIN ++#define MIN(x, y) (((x) < (y)) ? (x) : (y)) + #endif + + struct sc_atr_table { +Index: opensc-0.11.13/src/libopensc/muscle.c +=================================================================== +--- opensc-0.11.13.orig/src/libopensc/muscle.c 2010-12-21 09:51:32.693378000 +0100 ++++ opensc-0.11.13/src/libopensc/muscle.c 2010-12-21 09:51:29.894778002 +0100 +@@ -28,13 +28,6 @@ + #define MSC_DSA_PUBLIC 0x04 + #define MSC_DSA_PRIVATE 0x05 + +-#ifndef MAX +-#define MAX(x, y) (((x) > (y)) ? (x) : (y)) +-#endif +-#ifndef MIN +-#define MIN(x, y) (((x) < (y)) ? (x) : (y)) +-#endif +- + static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } }; + static msc_id outputId = { { 0xFF, 0xFF, 0xFF, 0xFE } }; + diff -Nru opensc-0.11.13/debian/patches/series opensc-0.11.13/debian/patches/series --- opensc-0.11.13/debian/patches/series 2010-12-20 08:52:25.000000000 -0600 +++ opensc-0.11.13/debian/patches/series 2010-12-21 08:02:31.000000000 -0600 @@ -1,3 +1,5 @@ debian-changes fix-storing-key-on-entersafe missing-libs.patch +buffer-overflow.patch +min-max.patch