Bug#607732: opensc: buffer overflow with rogue cards

Tue, 21 Dec 2010 06:30:21 -0800 

Package: opensc
Version: 0.11.13-1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch



In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)

This is upstream changesets:
https://www.opensc-project.org/opensc/changeset/4912
https://www.opensc-project.org/opensc/changeset/4913

This was originally submitted as an Ubuntu bug in:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483

This does not currently have a CVE assigned. Thanks for considering the patch.


-- System Information:
Debian Release: squeeze/sid
  APT prefers natty-updates
  APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-10-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru opensc-0.11.13/debian/changelog opensc-0.11.13/debian/changelog
diff -Nru opensc-0.11.13/debian/patches/buffer-overflow.patch opensc-0.11.13/debian/patches/buffer-overflow.patch
--- opensc-0.11.13/debian/patches/buffer-overflow.patch	1969-12-31 18:00:00.000000000 -0600
+++ opensc-0.11.13/debian/patches/buffer-overflow.patch	2010-12-21 08:02:31.000000000 -0600
@@ -0,0 +1,48 @@
+## Description: Fix buffer overflow
+## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4913
+## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483
+Index: opensc-0.11.13/src/libopensc/card-acos5.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/card-acos5.c	2010-12-21 09:50:31.963758002 +0100
++++ opensc-0.11.13/src/libopensc/card-acos5.c	2010-12-21 09:50:28.265608001 +0100
+@@ -140,8 +140,8 @@
+ 	/*
+ 	 * Cache serial number.
+ 	 */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); 
++ 	       card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); 
+ 
+ 	/*
+ 	 * Copy and return serial number.
+Index: opensc-0.11.13/src/libopensc/card-atrust-acos.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/card-atrust-acos.c	2010-12-21 09:50:31.903788002 +0100
++++ opensc-0.11.13/src/libopensc/card-atrust-acos.c	2010-12-21 09:50:28.265608001 +0100
+@@ -853,8 +853,8 @@
+ 	if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); 
++ 	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); 
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+ 	return SC_SUCCESS;
+Index: opensc-0.11.13/src/libopensc/card-starcos.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/card-starcos.c	2010-12-21 09:50:32.043718002 +0100
++++ opensc-0.11.13/src/libopensc/card-starcos.c	2010-12-21 09:50:28.265608001 +0100
+@@ -1289,8 +1289,8 @@
+ 	if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); 
++	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); 
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+ 	return SC_SUCCESS;
diff -Nru opensc-0.11.13/debian/patches/min-max.patch opensc-0.11.13/debian/patches/min-max.patch
--- opensc-0.11.13/debian/patches/min-max.patch	1969-12-31 18:00:00.000000000 -0600
+++ opensc-0.11.13/debian/patches/min-max.patch	2010-12-21 08:02:31.000000000 -0600
@@ -0,0 +1,39 @@
+## Description: Add MIN and MAX macros for buffer overflow patch
+## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4912
+## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483
+Index: opensc-0.11.13/src/libopensc/internal.h
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/internal.h	2010-12-21 09:51:32.763343000 +0100
++++ opensc-0.11.13/src/libopensc/internal.h	2010-12-21 09:51:29.894778002 +0100
+@@ -48,6 +48,13 @@
+ #else
+ #define msleep(t)	Sleep(t)
+ #define sleep(t)	Sleep((t) * 1000)
++#endif 
++
++#ifndef MAX 
++#define MAX(x, y) (((x) > (y)) ? (x) : (y)) 
++#endif 
++#ifndef MIN 
++#define MIN(x, y) (((x) < (y)) ? (x) : (y)) 
+ #endif
+ 
+ struct sc_atr_table {
+Index: opensc-0.11.13/src/libopensc/muscle.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/muscle.c	2010-12-21 09:51:32.693378000 +0100
++++ opensc-0.11.13/src/libopensc/muscle.c	2010-12-21 09:51:29.894778002 +0100
+@@ -28,13 +28,6 @@
+ #define MSC_DSA_PUBLIC		0x04
+ #define MSC_DSA_PRIVATE 	0x05
+ 
+-#ifndef MAX
+-#define MAX(x, y) (((x) > (y)) ? (x) : (y))
+-#endif
+-#ifndef MIN
+-#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+-#endif
+-
+ static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } };
+ static msc_id outputId = { { 0xFF, 0xFF, 0xFF, 0xFE } };
+ 
diff -Nru opensc-0.11.13/debian/patches/series opensc-0.11.13/debian/patches/series
--- opensc-0.11.13/debian/patches/series	2010-12-20 08:52:25.000000000 -0600
+++ opensc-0.11.13/debian/patches/series	2010-12-21 08:02:31.000000000 -0600
@@ -1,3 +1,5 @@
 debian-changes
 fix-storing-key-on-entersafe
 missing-libs.patch
+buffer-overflow.patch
+min-max.patch

Reply via email to