Am 08.11.23 um 02:15 schrieb Bastian Germann:
[x] attach debdiff against the package in (old)stable
diff -Nru opensc-0.23.0/debian/changelog opensc-0.23.0/debian/changelog --- opensc-0.23.0/debian/changelog 2023-06-01 20:30:18.000000000 +0000 +++ opensc-0.23.0/debian/changelog 2023-11-08 00:26:46.000000000 +0000 @@ -1,3 +1,12 @@ +opensc (0.23.0-0.3+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix CVE-2023-4535 with two upstream patches (Closes: #1055520) + * Fix CVE-2023-40660 with upstream patch (Closes: #1055521) + * Fix CVE-2023-40661 with upstream patches (Closes: #1055522) + + -- Bastian Germann <b...@debian.org> Wed, 08 Nov 2023 01:26:46 +0100 + opensc (0.23.0-0.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru opensc-0.23.0/debian/patches/0006-CVE-2023-4535.patch opensc-0.23.0/debian/patches/0006-CVE-2023-4535.patch --- opensc-0.23.0/debian/patches/0006-CVE-2023-4535.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0006-CVE-2023-4535.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,54 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/cde2e050ec4f2f1b7db38429aa4e9c0f4656308c +From: Peter Popovec <popovec.pe...@gmail.com> +Date: Wed, 26 Apr 2023 13:22:09 +0200 +Subject: NULL pointer fix + +Thanks to the clang analyzer: + Null pointer passed to 2nd parameter expecting 'nonnull' + [clang-analyzer-core.NonNullParamChecker] + + modified: src/libopensc/card-myeid.c +--- + src/libopensc/card-myeid.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c +index 31dd209f3e..951c179f1b 100644 +--- a/src/libopensc/card-myeid.c ++++ b/src/libopensc/card-myeid.c +@@ -1973,6 +1973,9 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen, + return_len = block_size - pad_byte; + } + *outlen = return_len; ++ /* application can request buffer size or actual buffer size is too small */ ++ if (out == NULL) ++ LOG_FUNC_RETURN(ctx, SC_SUCCESS); + if (return_len > *outlen) + LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL); + memcpy(out, priv->sym_plain_buffer, return_len); +@@ -2042,10 +2045,11 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen, + priv->sym_crypt_buffer_len = 0; + rest_len = 0; + } +- memcpy(sdata, data, apdu_datalen); +- data += apdu_datalen; +- datalen -= apdu_datalen; +- ++ if (data) { ++ memcpy(sdata, data, apdu_datalen); ++ data += apdu_datalen; ++ datalen -= apdu_datalen; ++ } + r = sc_transmit_apdu(card, &apdu); + LOG_TEST_RET(ctx, r, "APDU transmit failed"); + r = sc_check_sw(card, apdu.sw1, apdu.sw2); +@@ -2084,7 +2088,8 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen, + /* save rest of data for next run */ + priv->sym_crypt_buffer_len = datalen; + sc_log(ctx, "rest data len = %zu", datalen); +- memcpy(priv->sym_crypt_buffer, data, datalen); ++ if (data) ++ memcpy(priv->sym_crypt_buffer, data, datalen); + sc_log(ctx, "return data len = %zu", return_len); + *outlen = return_len; + return SC_SUCCESS; diff -Nru opensc-0.23.0/debian/patches/0007-CVE-2023-4535.patch opensc-0.23.0/debian/patches/0007-CVE-2023-4535.patch --- opensc-0.23.0/debian/patches/0007-CVE-2023-4535.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0007-CVE-2023-4535.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,39 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2 +From: Peter Popovec <popovec.pe...@gmail.com> +Date: Tue, 27 Jun 2023 09:50:42 +0200 +Subject: myeid: fixed CID 380538 Out-of-bounds read (OVERRUN) + +also fixes output buffer size checking +--- + src/libopensc/card-myeid.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c +index 4ee4246840..50e78ff1d8 100644 +--- a/src/libopensc/card-myeid.c ++++ b/src/libopensc/card-myeid.c +@@ -1986,18 +1986,20 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen, + sc_log(ctx, "Found padding byte %02x", pad_byte); + if (pad_byte == 0 || pad_byte > block_size) + LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING); +- sdata = priv->sym_plain_buffer + block_size - pad_byte; ++ sdata = priv->sym_plain_buffer + block_size; + for (i = 0; i < pad_byte; i++) +- if (sdata[i] != pad_byte) ++ if (*(--sdata) != pad_byte) + LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING); + return_len = block_size - pad_byte; + } +- *outlen = return_len; + /* application can request buffer size or actual buffer size is too small */ +- if (out == NULL) ++ if (out == NULL) { ++ *outlen = return_len; + LOG_FUNC_RETURN(ctx, SC_SUCCESS); ++ } + if (return_len > *outlen) + LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL); ++ *outlen = return_len; + memcpy(out, priv->sym_plain_buffer, return_len); + sc_log(ctx, "C_DecryptFinal %zu bytes", *outlen); + return SC_SUCCESS; diff -Nru opensc-0.23.0/debian/patches/0008-CVE-2023-40660.patch opensc-0.23.0/debian/patches/0008-CVE-2023-40660.patch --- opensc-0.23.0/debian/patches/0008-CVE-2023-40660.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0008-CVE-2023-40660.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,50 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7 +From: Frank Morgner <frankmorg...@gmail.com> +Date: Wed, 21 Jun 2023 12:27:23 +0200 +Subject: Fixed PIN authentication bypass + +If two processes are accessing a token, then one process may leave the +card usable with an authenticated PIN so that a key may sign/decrypt any +data. This is especially the case if the token does not support a way of +resetting the authentication status (logout). + +We have some tracking of the authentication status in software via +PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a +PIN-prompt will appear even though the card may technically be unlocked +as described in the above example. However, before this change, an empty +PIN was not verified (likely yielding an error during PIN-verification), +but it was just checked whether the PIN is authenticated. This defeats +the purpose of the PIN verification, because an empty PIN is not the +correct one. Especially during OS Logon, we don't want that kind of +shortcut, but we want the user to verify the correct PIN (even though +the token was left unattended and authentication at the computer). + +This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864. +--- + src/libopensc/pkcs15-pin.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c +index 80a185fecd..393234efe4 100644 +--- a/src/libopensc/pkcs15-pin.c ++++ b/src/libopensc/pkcs15-pin.c +@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE); + auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data; + +- /* +- * if pin cache is disabled, we can get here with no PIN data. +- * in this case, to avoid error or unnecessary pin prompting on pinpad, +- * check if the PIN has been already verified and the access condition +- * is still open on card. +- */ +- if (pinlen == 0) { +- r = sc_pkcs15_get_pin_info(p15card, pin_obj); +- +- if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN) +- LOG_FUNC_RETURN(ctx, r); +- } +- + r = _validate_pin(p15card, auth_info, pinlen); + + if (r) diff -Nru opensc-0.23.0/debian/patches/0009-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0009-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0009-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0009-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,40 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/245efe608d083fd4e4ec96793fdefd218e26fde7 +From: Jakub Jelen <jje...@redhat.com> +Date: Thu, 17 Aug 2023 13:54:42 +0200 +Subject: pkcs15: Avoid buffer overflow when getting last update + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769 +--- + src/libopensc/pkcs15.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c +index eb7fc6afcd..4215b733a8 100644 +--- a/src/libopensc/pkcs15.c ++++ b/src/libopensc/pkcs15.c +@@ -532,7 +532,7 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs15_card *p15card) + struct sc_context *ctx = p15card->card->ctx; + struct sc_file *file = NULL; + struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE]; +- unsigned char *content, last_update[32]; ++ unsigned char *content, last_update[32] = {0}; + size_t lupdate_len = sizeof(last_update) - 1; + int r, content_len; + size_t size; +@@ -569,9 +569,11 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs15_card *p15card) + if (r < 0) + return NULL; + +- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); +- if (!p15card->tokeninfo->last_update.gtime) +- return NULL; ++ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) { ++ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update); ++ if (!p15card->tokeninfo->last_update.gtime) ++ return NULL; ++ } + done: + sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime); + return p15card->tokeninfo->last_update.gtime; diff -Nru opensc-0.23.0/debian/patches/0010-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0010-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0010-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0010-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,27 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/440ca666eff10cc7011901252d20f3fc4ea23651 +From: Jakub Jelen <jje...@redhat.com> +Date: Thu, 17 Aug 2023 13:41:36 +0200 +Subject: setcos: Avoid buffer underflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672 +--- + src/pkcs15init/pkcs15-setcos.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c +index 1b56afe6d9..1907b47f9d 100644 +--- a/src/pkcs15init/pkcs15-setcos.c ++++ b/src/pkcs15init/pkcs15-setcos.c +@@ -349,6 +349,10 @@ setcos_create_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card, + + /* Replace the path of instantiated key template by the path from the object data. */ + memcpy(&file->path, &key_info->path, sizeof(file->path)); ++ if (file->path.len < 2) { ++ sc_file_free(file); ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path"); ++ } + file->id = file->path.value[file->path.len - 2] * 0x100 + + file->path.value[file->path.len - 1]; + diff -Nru opensc-0.23.0/debian/patches/0011-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0011-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0011-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0011-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,26 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/41d61da8481582e12710b5858f8b635e0a71ab5e +From: Jakub Jelen <jje...@redhat.com> +Date: Wed, 20 Sep 2023 10:13:57 +0200 +Subject: oberthur: Avoid buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 +--- + src/pkcs15init/pkcs15-oberthur.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c +index ad2cabd530..c441ab1e76 100644 +--- a/src/pkcs15init/pkcs15-oberthur.c ++++ b/src/pkcs15init/pkcs15-oberthur.c +@@ -715,6 +715,9 @@ cosm_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card, + if (object->type != SC_PKCS15_TYPE_PRKEY_RSA) + LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported"); + ++ if (key_info->path.len < 2) ++ LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long"); ++ + sc_log(ctx, "create private key ID:%s", sc_pkcs15_print_id(&key_info->id)); + /* Here, the path of private key file should be defined. + * Nevertheless, we need to instantiate private key to get the ACLs. */ diff -Nru opensc-0.23.0/debian/patches/0012-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0012-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0012-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0012-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,23 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/578aed8391ef117ca64a9e0cba8e5c264368a0ec +From: Frank Morgner <frankmorg...@gmail.com> +Date: Thu, 8 Dec 2022 00:27:18 +0100 +Subject: sc_pkcs15init_rmdir: prevent out of bounds write + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 +--- + src/pkcs15init/pkcs15-lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index 91cee37310..3df03c6e1f 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -685,6 +685,8 @@ sc_pkcs15init_rmdir(struct sc_pkcs15_card *p15card, struct sc_profile *profile, + + path = df->path; + path.len += 2; ++ if (path.len > SC_MAX_PATH_SIZE) ++ return SC_ERROR_INTERNAL; + + nfids = r / 2; + while (r >= 0 && nfids--) { diff -Nru opensc-0.23.0/debian/patches/0013-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0013-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0013-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0013-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,25 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/c449a181a6988cc1e8dc8764d23574e48cdc3fa6 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanu...@redhat.com> +Date: Mon, 19 Jun 2023 16:14:51 +0200 +Subject: pkcs15-cflex: check path length to prevent underflow + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 +--- + src/pkcs15init/pkcs15-cflex.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c +index d06568073d..ce1d48e62c 100644 +--- a/src/pkcs15init/pkcs15-cflex.c ++++ b/src/pkcs15init/pkcs15-cflex.c +@@ -56,6 +56,9 @@ cflex_delete_file(sc_profile_t *profile, sc_pkcs15_card_t *p15card, sc_file_t *d + int r = 0; + /* Select the parent DF */ + path = df->path; ++ if (path.len < 2) { ++ return SC_ERROR_INVALID_ARGUMENTS; ++ } + path.len -= 2; + r = sc_select_file(p15card->card, &path, &parent); + if (r < 0) diff -Nru opensc-0.23.0/debian/patches/0014-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0014-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0014-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0014-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,25 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 +From: Veronika Hanulikova <xhanu...@fi.muni.cz> +Date: Fri, 10 Feb 2023 11:47:34 +0100 +Subject: Check array bounds + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 +--- + src/libopensc/muscle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c +index 61a4ec24d8..9d01e0c113 100644 +--- a/src/libopensc/muscle.c ++++ b/src/libopensc/muscle.c +@@ -181,6 +181,9 @@ int msc_partial_update_object(sc_card_t *card, msc_id objectId, int offset, cons + sc_apdu_t apdu; + int r; + ++ if (dataLength + 9 > MSC_MAX_APDU) ++ return SC_ERROR_INVALID_ARGUMENTS; ++ + sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00); + apdu.lc = dataLength + 9; + if (card->ctx->debug >= 2) diff -Nru opensc-0.23.0/debian/patches/0015-CVE-2023-40661.patch opensc-0.23.0/debian/patches/0015-CVE-2023-40661.patch --- opensc-0.23.0/debian/patches/0015-CVE-2023-40661.patch 1970-01-01 00:00:00.000000000 +0000 +++ opensc-0.23.0/debian/patches/0015-CVE-2023-40661.patch 2023-11-08 00:26:46.000000000 +0000 @@ -0,0 +1,37 @@ +Origin: https://github.com/OpenSC/OpenSC/commit/5631e9843c832a99769def85b7b9b68b4e3e3959 +From: Veronika Hanulikova <xhanu...@fi.muni.cz> +Date: Fri, 3 Mar 2023 16:07:38 +0100 +Subject: Check length of string before making copy + +Thanks OSS-Fuzz +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998 +--- + src/pkcs15init/profile.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c +index 2b793b0282..3bad1e8536 100644 +--- a/src/pkcs15init/profile.c ++++ b/src/pkcs15init/profile.c +@@ -1575,7 +1575,10 @@ do_acl(struct state *cur, int argc, char **argv) + while (argc--) { + unsigned int op, method, id; + ++ if (strlen(*argv) >= sizeof(oper)) ++ goto bad; + strlcpy(oper, *argv++, sizeof(oper)); ++ + if ((what = strchr(oper, '=')) == NULL) + goto bad; + *what++ = '\0'; +@@ -2288,6 +2291,9 @@ get_authid(struct state *cur, const char *value, + return get_uint(cur, value, type); + } + ++ if (strlen(value) >= sizeof(temp)) ++ return 1; ++ + n = strcspn(value, "0123456789x"); + strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp)); + diff -Nru opensc-0.23.0/debian/patches/series opensc-0.23.0/debian/patches/series --- opensc-0.23.0/debian/patches/series 2023-06-01 20:30:18.000000000 +0000 +++ opensc-0.23.0/debian/patches/series 2023-11-08 00:26:46.000000000 +0000 @@ -2,3 +2,13 @@ 0002-Fix-private-key-import.patch 0003-Log-OpenSSL-errors.patch 0004-pkcs15init-correct-left-length-calculation.patch +0006-CVE-2023-4535.patch +0007-CVE-2023-4535.patch +0008-CVE-2023-40660.patch +0009-CVE-2023-40661.patch +0010-CVE-2023-40661.patch +0011-CVE-2023-40661.patch +0012-CVE-2023-40661.patch +0013-CVE-2023-40661.patch +0014-CVE-2023-40661.patch +0015-CVE-2023-40661.patch