Bug#607732: marked as done (libopensc: CVE-2010-4523: buffer overflow from rogue cards)

Wed, 22 Dec 2010 07:06:32 -0800 

Your message dated Wed, 22 Dec 2010 15:02:12 +0000
with message-id <e1pvqci-0002ty...@franck.debian.org>
and subject line Bug#607427: fixed in opensc 0.11.13-1.1
has caused the Debian Bug report #607427,
regarding libopensc: CVE-2010-4523: buffer overflow from rogue cards
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
607427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: opensc
Version: 0.11.13-1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu natty ubuntu-patch



In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)

This is upstream changesets:
https://www.opensc-project.org/opensc/changeset/4912
https://www.opensc-project.org/opensc/changeset/4913

This was originally submitted as an Ubuntu bug in:
https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483

This does not currently have a CVE assigned. Thanks for considering the patch.


-- System Information:
Debian Release: squeeze/sid
  APT prefers natty-updates
  APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-10-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru opensc-0.11.13/debian/changelog opensc-0.11.13/debian/changelog
diff -Nru opensc-0.11.13/debian/patches/buffer-overflow.patch opensc-0.11.13/debian/patches/buffer-overflow.patch
--- opensc-0.11.13/debian/patches/buffer-overflow.patch	1969-12-31 18:00:00.000000000 -0600
+++ opensc-0.11.13/debian/patches/buffer-overflow.patch	2010-12-21 08:02:31.000000000 -0600
@@ -0,0 +1,48 @@
+## Description: Fix buffer overflow
+## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4913
+## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483
+Index: opensc-0.11.13/src/libopensc/card-acos5.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/card-acos5.c	2010-12-21 09:50:31.963758002 +0100
++++ opensc-0.11.13/src/libopensc/card-acos5.c	2010-12-21 09:50:28.265608001 +0100
+@@ -140,8 +140,8 @@
+ 	/*
+ 	 * Cache serial number.
+ 	 */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); 
++ 	       card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); 
+ 
+ 	/*
+ 	 * Copy and return serial number.
+Index: opensc-0.11.13/src/libopensc/card-atrust-acos.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/card-atrust-acos.c	2010-12-21 09:50:31.903788002 +0100
++++ opensc-0.11.13/src/libopensc/card-atrust-acos.c	2010-12-21 09:50:28.265608001 +0100
+@@ -853,8 +853,8 @@
+ 	if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); 
++ 	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); 
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+ 	return SC_SUCCESS;
+Index: opensc-0.11.13/src/libopensc/card-starcos.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/card-starcos.c	2010-12-21 09:50:32.043718002 +0100
++++ opensc-0.11.13/src/libopensc/card-starcos.c	2010-12-21 09:50:28.265608001 +0100
+@@ -1289,8 +1289,8 @@
+ 	if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); 
++	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); 
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+ 	return SC_SUCCESS;
diff -Nru opensc-0.11.13/debian/patches/min-max.patch opensc-0.11.13/debian/patches/min-max.patch
--- opensc-0.11.13/debian/patches/min-max.patch	1969-12-31 18:00:00.000000000 -0600
+++ opensc-0.11.13/debian/patches/min-max.patch	2010-12-21 08:02:31.000000000 -0600
@@ -0,0 +1,39 @@
+## Description: Add MIN and MAX macros for buffer overflow patch
+## Origin: upstream, https://www.opensc-project.org/opensc/changeset/4912
+## Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483
+Index: opensc-0.11.13/src/libopensc/internal.h
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/internal.h	2010-12-21 09:51:32.763343000 +0100
++++ opensc-0.11.13/src/libopensc/internal.h	2010-12-21 09:51:29.894778002 +0100
+@@ -48,6 +48,13 @@
+ #else
+ #define msleep(t)	Sleep(t)
+ #define sleep(t)	Sleep((t) * 1000)
++#endif 
++
++#ifndef MAX 
++#define MAX(x, y) (((x) > (y)) ? (x) : (y)) 
++#endif 
++#ifndef MIN 
++#define MIN(x, y) (((x) < (y)) ? (x) : (y)) 
+ #endif
+ 
+ struct sc_atr_table {
+Index: opensc-0.11.13/src/libopensc/muscle.c
+===================================================================
+--- opensc-0.11.13.orig/src/libopensc/muscle.c	2010-12-21 09:51:32.693378000 +0100
++++ opensc-0.11.13/src/libopensc/muscle.c	2010-12-21 09:51:29.894778002 +0100
+@@ -28,13 +28,6 @@
+ #define MSC_DSA_PUBLIC		0x04
+ #define MSC_DSA_PRIVATE 	0x05
+ 
+-#ifndef MAX
+-#define MAX(x, y) (((x) > (y)) ? (x) : (y))
+-#endif
+-#ifndef MIN
+-#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+-#endif
+-
+ static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } };
+ static msc_id outputId = { { 0xFF, 0xFF, 0xFF, 0xFE } };
+ 
diff -Nru opensc-0.11.13/debian/patches/series opensc-0.11.13/debian/patches/series
--- opensc-0.11.13/debian/patches/series	2010-12-20 08:52:25.000000000 -0600
+++ opensc-0.11.13/debian/patches/series	2010-12-21 08:02:31.000000000 -0600
@@ -1,3 +1,5 @@
 debian-changes
 fix-storing-key-on-entersafe
 missing-libs.patch
+buffer-overflow.patch
+min-max.patch

--- End Message ---
--- Begin Message --- 
Source: opensc
Source-Version: 0.11.13-1.1

We believe that the bug you reported is fixed in the latest version of
opensc, which is due to be installed in the Debian FTP archive:

libopensc2-dbg_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2-dbg_0.11.13-1.1_amd64.deb
libopensc2-dev_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2-dev_0.11.13-1.1_amd64.deb
libopensc2_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2_0.11.13-1.1_amd64.deb
mozilla-opensc_0.11.13-1.1_amd64.deb
  to main/o/opensc/mozilla-opensc_0.11.13-1.1_amd64.deb
opensc_0.11.13-1.1.debian.tar.bz2
  to main/o/opensc/opensc_0.11.13-1.1.debian.tar.bz2
opensc_0.11.13-1.1.dsc
  to main/o/opensc/opensc_0.11.13-1.1.dsc
opensc_0.11.13-1.1_amd64.deb
  to main/o/opensc/opensc_0.11.13-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated opensc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Dec 2010 14:20:22 +0000
Source: opensc
Binary: opensc libopensc2-dev libopensc2 libopensc2-dbg mozilla-opensc
Architecture: source amd64
Version: 0.11.13-1.1
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <e...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 libopensc2 - Smart card library with support for PKCS#15 compatible smart card
 libopensc2-dbg - Debugging symbols for libopensc2
 libopensc2-dev - OpenSC development files
 mozilla-opensc - Mozilla plugin for authentication using OpenSC
 opensc     - Smart card utilities with support for PKCS#15 compatible cards
Closes: 607427
Changes: 
 opensc (0.11.13-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2010-4523: Protect against buffer overflow from rogue cards
     (closes: #607427)
Checksums-Sha1: 
 98b9be9d1dd9da7cee566f38f110114d9d39bd08 1995 opensc_0.11.13-1.1.dsc
 67b12fc2c2d962c70dc9d98277981b0b57bb4f2f 10383 
opensc_0.11.13-1.1.debian.tar.bz2
 0fe697179c4b587430dc0d97c6912f5b32e4f26e 339498 opensc_0.11.13-1.1_amd64.deb
 ea47e3d73b5040ac743d8747eecf87bb7c6c1b7d 861132 
libopensc2-dev_0.11.13-1.1_amd64.deb
 e317759ea441a247da7c18727ec751e356d5aa61 702590 
libopensc2_0.11.13-1.1_amd64.deb
 804febc2a1ae20e6699a9f3dcffb5476492004b2 1393148 
libopensc2-dbg_0.11.13-1.1_amd64.deb
 e20e8821805483e04e4de227fcb868ded9c20a19 191686 
mozilla-opensc_0.11.13-1.1_amd64.deb
Checksums-Sha256: 
 396843a723b9c5989dab644f1675e3362471b9d48089b34e5399b776dc1ff390 1995 
opensc_0.11.13-1.1.dsc
 84c0b02d981d7384cbab9fae57b92a14feeaf7befe89efe2581c1bc7bf466157 10383 
opensc_0.11.13-1.1.debian.tar.bz2
 03181ca349896de431439fafcc4d9708ceeebddbb6993c3166bec3326cd25fdf 339498 
opensc_0.11.13-1.1_amd64.deb
 d445ab45b6645f9c1b6cef171cbd1c0683d36f8efba36e8a30072c2c8b3c615d 861132 
libopensc2-dev_0.11.13-1.1_amd64.deb
 296b612b388d9079b9e0919d977fc117b62556ea0fe96cda25ef3550b8203171 702590 
libopensc2_0.11.13-1.1_amd64.deb
 53f425d44366a183f5aa8d7fce00ec03387934616d108529230f1d1da44e93ef 1393148 
libopensc2-dbg_0.11.13-1.1_amd64.deb
 9e5d312d2b553b01437d7297086a563c3f3196957a1c02ef0494659da37d9bfc 191686 
mozilla-opensc_0.11.13-1.1_amd64.deb
Files: 
 9bd07d38a0ad43343cda22986c6f2594 1995 utils extra opensc_0.11.13-1.1.dsc
 fe093bdea970f4171fe1cff6d1a52656 10383 utils extra 
opensc_0.11.13-1.1.debian.tar.bz2
 07624a417507b5412b1100ab829efa9c 339498 utils extra 
opensc_0.11.13-1.1_amd64.deb
 d791fbe053a5498c05807c219c26191d 861132 libdevel optional 
libopensc2-dev_0.11.13-1.1_amd64.deb
 e255900a05e80c9a251378c98bcceea9 702590 libs optional 
libopensc2_0.11.13-1.1_amd64.deb
 3237388638ec1ed308d95681e3db90f1 1393148 debug extra 
libopensc2-dbg_0.11.13-1.1_amd64.deb
 408ee99729e2ca267fed3864413c2c97 191686 web extra 
mozilla-opensc_0.11.13-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNEg64AAoJEFOUR53TUkxR7KAQAIpHv8dbGEwt8OcnSFtWoW6a
IQKli05qud+e2+ivAqy4IXSbOS4qwuyWOF1GdgaRGiQXkf8S9+M8x/stpJgqyMo+
a7Oynl+llO445z8TYRzhEXGSvxnEYIbtOyPQITOrmMjpzwhMp7JpF4LfoNOhhsTc
MrZB9G1VatImt7XbFucz1SrMR/hrrLRC56bo3lgXvs5fkXKgdBhxJf86RqVIogTM
/rzTtndNtGPwzAiaMXutAKCwAua5+QG+ZHjSfAe30llCDxiyTbwt+JPpcqsu7zPT
GmjTJpVmhyiKC0c9XH5g0MQfwGXe5S3+EB+oQyFUVb5iibX6uisvgNpHTJgsWXz8
Sjc4dNbOIuDAUp3qDNFtZ7ReVZYuuXf1ySQGc0FK9wEbLYJu37ugaOW7vYMClcHH
rbhKGsVGPTTb+iaiNbwKR+VH/CLj9IbRRRTsNN3Nfk1eN/awzAWKpNCcDzOTISIq
csGEzYWLfK3pyBxISiKrZNXqq14fPMtIJCaeeS+kTBd8gNhQQxy853ozIIg0iVA4
QxIVqwSy4lCZWBAbyCULCUzo+v7VHUhJCrv9jgm5tBew7fq4m6bgLtt/qGTNj4PV
k0fz+o4V5BOlp6S5FOwwz4c0PZsYcBfhxAtm4+IFaluAqIGA0e6KqOsyRhlfxrYn
2PWmAX6UNa3P/B5/otcW
=Z/9a
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to