2017-01-04 17:35 GMT+01:00 Chris Lamb <[email protected]>: > Hello dear maintainer(s), >
Hello, > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of pcsc-lite: > https://security-tracker.debian.org/tracker/source-package/pcsc-lite > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to [email protected] > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of pcsc-lite updates > for the LTS releases. > > Thank you very much. > > Chris Lamb, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/ > dla-needed.txt?view=markup > I prepared a debdiff for the version present in oldstable. It is the same patches I used for the Debian stable update but updated for the pcsc-lite version present in oldstable. I have re-build the package in a Debian testing system and tested the PoC provided in the CVE does not work any more. I have not tested the package in oldstable but I am confident it will work. Bye -- Dr. Ludovic Rousseau
diff -Nru pcsc-lite-1.8.4/debian/changelog pcsc-lite-1.8.4/debian/changelog --- pcsc-lite-1.8.4/debian/changelog 2013-05-22 09:35:40.000000000 +0200 +++ pcsc-lite-1.8.4/debian/changelog 2017-01-06 12:59:54.000000000 +0100 @@ -1,3 +1,10 @@ +pcsc-lite (1.8.4-1+deb7u2) wheezy; urgency=medium + + * Fix CVE-2016-10109 "use-after-free and double-free" + Apply 2 patches from upstream to fix the issue. + + -- Ludovic Rousseau <[email protected]> Fri, 06 Jan 2017 12:59:54 +0100 + pcsc-lite (1.8.4-1+deb7u1) wheezy; urgency=low * Fix "failed upgrade squeeze -> wheezy" by removing addgroup call diff -Nru pcsc-lite-1.8.4/debian/patches/0001-SCardReleaseContext-prevent-use-after-free-of-cardsL.patch pcsc-lite-1.8.4/debian/patches/0001-SCardReleaseContext-prevent-use-after-free-of-cardsL.patch --- pcsc-lite-1.8.4/debian/patches/0001-SCardReleaseContext-prevent-use-after-free-of-cardsL.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcsc-lite-1.8.4/debian/patches/0001-SCardReleaseContext-prevent-use-after-free-of-cardsL.patch 2017-01-06 12:59:54.000000000 +0100 @@ -0,0 +1,21 @@ +--- a/src/winscard_svc.c ++++ b/src/winscard_svc.c +@@ -811,7 +811,6 @@ + "list_delete_at failed with return value: %d", lrv); + } + (void)pthread_mutex_unlock(&threadContext->cardsList_lock); +- list_destroy(&(threadContext->cardsList)); + + /* We only mark the context as no longer in use. + * The memory is freed in MSGCleanupCLient() */ +@@ -913,6 +912,10 @@ + (void)MSGRemoveContext(threadContext->hContext, threadContext); + } + ++ (void)pthread_mutex_lock(&threadContext->cardsList_lock); ++ list_destroy(&threadContext->cardsList); ++ (void)pthread_mutex_unlock(&threadContext->cardsList_lock); ++ + Log3(PCSC_LOG_DEBUG, + "Thread is stopping: dwClientID=%d, threadContext @%p", + threadContext->dwClientID, threadContext); diff -Nru pcsc-lite-1.8.4/debian/patches/0002-SCard-check-for-a-valid-hContext-handles.patch pcsc-lite-1.8.4/debian/patches/0002-SCard-check-for-a-valid-hContext-handles.patch --- pcsc-lite-1.8.4/debian/patches/0002-SCard-check-for-a-valid-hContext-handles.patch 1970-01-01 01:00:00.000000000 +0100 +++ pcsc-lite-1.8.4/debian/patches/0002-SCard-check-for-a-valid-hContext-handles.patch 2017-01-06 12:59:54.000000000 +0100 @@ -0,0 +1,28 @@ +--- a/src/winscard_svc.c ++++ b/src/winscard_svc.c +@@ -747,6 +747,12 @@ + LONG rv; + int lrv; + ++ if (0 == threadContext->hContext) ++ { ++ Log1(PCSC_LOG_ERROR, "Invalidated handle"); ++ return SCARD_E_INVALID_HANDLE; ++ } ++ + if (threadContext->hContext != hContext) + return SCARD_E_INVALID_VALUE; + +@@ -822,6 +828,12 @@ + static LONG MSGAddHandle(SCARDCONTEXT hContext, SCARDHANDLE hCard, + SCONTEXT * threadContext) + { ++ if (0 == threadContext->hContext) ++ { ++ Log1(PCSC_LOG_ERROR, "Invalidated handle"); ++ return SCARD_E_INVALID_HANDLE; ++ } ++ + if (threadContext->hContext == hContext) + { + /* diff -Nru pcsc-lite-1.8.4/debian/patches/series pcsc-lite-1.8.4/debian/patches/series --- pcsc-lite-1.8.4/debian/patches/series 2013-05-15 11:48:08.000000000 +0200 +++ pcsc-lite-1.8.4/debian/patches/series 2017-01-06 12:59:54.000000000 +0100 @@ -1,2 +1,4 @@ readerfactory winscard_clnt +0001-SCardReleaseContext-prevent-use-after-free-of-cardsL.patch +0002-SCard-check-for-a-valid-hContext-handles.patch
