Bug#1037025: marked as done (unblock: opensc/0.23.0-0.3)

Debian Bug Tracking System Fri, 02 Jun 2023 14:57:38 -0700

Your message dated Fri, 02 Jun 2023 21:52:56 +0000
with message-id <[email protected]>
and subject line unblock opensc
has caused the Debian Bug report #1037025,
regarding unblock: opensc/0.23.0-0.3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1037025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037025
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Control: affects -1 + src:opensc
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: unblock
Severity: normal

Please unblock package opensc.

[ Reason ]
Fixes CVE-2023-2977.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock opensc/0.23.0-0.3

diff -Nru opensc-0.23.0/debian/changelog opensc-0.23.0/debian/changelog
--- opensc-0.23.0/debian/changelog      2023-02-13 17:13:20.000000000 +0100
+++ opensc-0.23.0/debian/changelog      2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,10 @@
+opensc (0.23.0-0.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-2977 with upstream patch.
+
+ -- Bastian Germann <[email protected]>  Thu, 01 Jun 2023 22:30:18 +0200
+
 opensc (0.23.0-0.2) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru 
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
 
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
--- 
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
  2023-06-01 22:30:18.000000000 +0200
@@ -0,0 +1,57 @@
+Origin: 
https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+From: fullwaywang <[email protected]>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: pkcs15init: correct left length calculation to fix buffer overrun bug.
+ Fixes #2785
+
+From https://github.com/OpenSC/OpenSC/issues/2785:
+The newly found issue exists in pkcs15-init module. Like the original bug in 
libopensc,
+cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2 
tags.
+The pointer p is moved after each sc_asn1_find_tag invocation,
+which results in the miscalculation of the length of left bytes in buffer
+and hence reading beyond the end of the buffer.
+
+CVE-2023-2977 was assigned for this issue.
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+       sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-      const u8  *p = rbuf, *q;
++      const u8  *p = rbuf, *q, *pp;
+       size_t    len, tlen = 0, ilen = 0;
+ 
+       sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+               return 0;
+ 
+       while (len != 0) {
+-              p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-              if (p == NULL)
++              pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++              if (pp == NULL)
+                       return 0;
+               if (card->type == SC_CARD_TYPE_CARDOS_M4_3)     {
+                       /* the verifyRC package on CardOS 4.3B use Manufacturer 
ID 0x01 */
+                       /* and Package Number 0x07                              
        */
+-                      q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++                      q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+                       if (q == NULL || ilen != 4)
+                               return 0;
+                       if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+               } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)      {
+                       /* the verifyRC package on CardOS 4.4 use Manufacturer 
ID 0x03  */
+                       /* and Package Number 0x02                              
        */
+-                      q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++                      q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+                       if (q == NULL || ilen != 4)
+                               return 0;
+                       if (q[0] == 0x02)
diff -Nru opensc-0.23.0/debian/patches/series 
opensc-0.23.0/debian/patches/series
--- opensc-0.23.0/debian/patches/series 2023-02-13 17:13:04.000000000 +0100
+++ opensc-0.23.0/debian/patches/series 2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,4 @@
 0001-Use-sysconfdir-opensc-for-opensc.conf.patch
 0002-Fix-private-key-import.patch
 0003-Log-OpenSSL-errors.patch
+0004-pkcs15init-correct-left-length-calculation.patch

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#1037025: marked as done (unblock: opensc/0.23.0-0.3)

Reply via email to