commit: cc922f70f70016cf7fd197a8f492e654e0556f50 Author: David Seifert <soap <AT> gentoo <DOT> org> AuthorDate: Sat Jun 10 19:06:40 2023 +0000 Commit: David Seifert <soap <AT> gentoo <DOT> org> CommitDate: Sat Jun 10 19:06:40 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc922f70
dev-libs/opensc: add patch for CVE-2023-2977 Bug: https://bugs.gentoo.org/907930 Signed-off-by: David Seifert <soap <AT> gentoo.org> .../opensc/files/opensc-0.23.0-CVE-2023-2977.patch | 49 +++++++++++++ dev-libs/opensc/opensc-0.23.0-r1.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 132 insertions(+) diff --git a/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch b/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch new file mode 100644 index 000000000000..ad3bc1fadc93 --- /dev/null +++ b/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch @@ -0,0 +1,49 @@ +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 +From: fullwaywang <fullwayw...@tencent.com> +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/dev-libs/opensc/opensc-0.23.0-r1.ebuild b/dev-libs/opensc/opensc-0.23.0-r1.ebuild new file mode 100644 index 000000000000..9162e0939fc4 --- /dev/null +++ b/dev-libs/opensc/opensc-0.23.0-r1.ebuild @@ -0,0 +1,83 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit bash-completion-r1 libtool + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"; + +if [[ ${PV} == *9999 ]]; then + inherit autotools git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"; +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"; + KEYWORDS="~amd64 ~ppc64 ~x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +PATCHES=( "${FILESDIR}"/${P}-CVE-2023-2977.patch ) + +src_prepare() { + default + + if [[ ${PV} == *9999 ]]; then + eautoreconf + else + elibtoolize + fi +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +}
