[oe] [meta-oe][kirkstone][PATCH 3/8] opensc: fix CVE-2024-45615

Tue, 14 Jan 2025 23:24:48 -0800 

From: Zhang Peng <[email protected]>

CVE-2024-45615:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, 
and CTK.
The problem is missing initialization of variables expected to be initialized
(as arguments to other functions, etc.).

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45615]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/5e4f26b510b04624386c54816bf26aacea0fe4a1]
[https://github.com/OpenSC/OpenSC/commit/7d68a7f442e38e16625270a0fdc6942c9e9437e6]
[https://github.com/OpenSC/OpenSC/commit/bb3dedb71e59bd17f96fd4e807250a5cf2253cb7]
[https://github.com/OpenSC/OpenSC/commit/42d718dfccd2a10f6d26705b8c991815c855fa3b]
[https://github.com/OpenSC/OpenSC/commit/bde991b0fe4f0250243b0e4960978b1043c13b03]

Signed-off-by: Zhang Peng <[email protected]>
---
 .../opensc/files/CVE-2024-45615-0001.patch    | 67 +++++++++++++++++++
 .../opensc/files/CVE-2024-45615-0002.patch    | 36 ++++++++++
 .../opensc/files/CVE-2024-45615-0003.patch    | 35 ++++++++++
 .../opensc/files/CVE-2024-45615-0004.patch    | 36 ++++++++++
 .../opensc/files/CVE-2024-45615-0005.patch    | 34 ++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  5 ++
 6 files changed, 213 insertions(+)
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
new file mode 100644
index 000000000..badb301b1
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
@@ -0,0 +1,67 @@
+From 5e4f26b510b04624386c54816bf26aacea0fe4a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]>
+Date: Thu, 11 Jul 2024 14:58:25 +0200
+Subject: [PATCH] cac: Fix uninitialized values
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_card/1,fuzz_pkcs11/6
+CVE: CVE-2024-45615
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/5e4f26b510b04624386c54816bf26aacea0fe4a1]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/libopensc/card-cac.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 1d1b616c8..4c3bc89bd 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -255,7 +255,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, 
int p2,
+       size_t * recvbuflen)
+ {
+       int r;
+-      sc_apdu_t apdu;
++      sc_apdu_t apdu = {0};
+       u8 rbufinitbuf[CAC_MAX_SIZE];
+       u8 *rbuf;
+       size_t rbuflen;
+@@ -392,13 +392,13 @@ fail:
+ static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t 
*out_len)
+ {
+       u8 params[2];
+-      u8 count[2];
++      u8 count[2] = {0};
+       u8 *out = NULL;
+-      u8 *out_ptr;
++      u8 *out_ptr = NULL;
+       size_t offset = 0;
+       size_t size = 0;
+       size_t left = 0;
+-      size_t len;
++      size_t len = 0;
+       int r;
+ 
+       params[0] = file_type;
+@@ -461,7 +461,7 @@ static int cac_read_binary(sc_card_t *card, unsigned int 
idx,
+       const u8 *tl_ptr, *val_ptr, *tl_start;
+       u8 *tlv_ptr;
+       const u8 *cert_ptr;
+-      size_t tl_len, val_len, tlv_len;
++      size_t tl_len = 0, val_len = 0, tlv_len;
+       size_t len, tl_head_len, cert_len;
+       u8 cert_type, tag;
+ 
+@@ -1528,7 +1528,7 @@ static int cac_parse_CCC(sc_card_t *card, 
cac_private_data_t *priv, const u8 *tl
+ static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int 
depth)
+ {
+       u8 *tl = NULL, *val = NULL;
+-      size_t tl_len, val_len;
++      size_t tl_len = 0, val_len = 0;
+       int r;
+ 
+       if (depth > CAC_MAX_CCC_DEPTH) {
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
new file mode 100644
index 000000000..7e02df383
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
@@ -0,0 +1,36 @@
+From 7d68a7f442e38e16625270a0fdc6942c9e9437e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]>
+Date: Tue, 16 Jul 2024 15:51:51 +0200
+Subject: [PATCH] card-piv: Initialize variables for tag and CLA
+
+In case they are not later initialize later by
+sc_asn1_read_tag() function.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/21
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/7d68a7f442e38e16625270a0fdc6942c9e9437e6]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/libopensc/card-piv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index 6bf740221..0f07b2529 100644
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -2241,7 +2241,7 @@ static int piv_get_challenge(sc_card_t *card, u8 *rnd, 
size_t len)
+       const u8 *p;
+       size_t out_len = 0;
+       int r;
+-      unsigned int tag, cla;
++      unsigned int tag = 0, cla = 0;
+       piv_private_data_t * priv = PIV_DATA(card);
+ 
+       LOG_FUNC_CALLED(card->ctx);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
new file mode 100644
index 000000000..3f57ca336
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
@@ -0,0 +1,35 @@
+From bb3dedb71e59bd17f96fd4e807250a5cf2253cb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]>
+Date: Fri, 12 Jul 2024 14:35:47 +0200
+Subject: [PATCH] pkcs15-cert.c: Initialize OID length
+
+In case it is not set later.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/7
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/bb3dedb71e59bd17f96fd4e807250a5cf2253cb7]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/libopensc/pkcs15-cert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-cert.c b/src/libopensc/pkcs15-cert.c
+index 1777a85835..5e2dbb89d0 100644
+--- a/src/libopensc/pkcs15-cert.c
++++ b/src/libopensc/pkcs15-cert.c
+@@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_context *ctx, const 
u8 *dn, size_t dn_len,
+       for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) {
+               const u8 *ava, *dummy, *oidp;
+               struct sc_object_id oid;
+-              size_t ava_len, dummy_len, oid_len;
++              size_t ava_len = 0, dummy_len, oid_len = 0;
+ 
+               /* unwrap the set and point to the next ava */
+               ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, 
SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
new file mode 100644
index 000000000..a477bb07e
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
@@ -0,0 +1,36 @@
+From 42d718dfccd2a10f6d26705b8c991815c855fa3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]>
+Date: Tue, 16 Jul 2024 16:32:45 +0200
+Subject: [PATCH] pkcs15-sc-hsm: Initialize variables for tag and CLA
+
+In case they are not later initialize later by
+sc_asn1_read_tag() function.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_crypt/12
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/42d718dfccd2a10f6d26705b8c991815c855fa3b]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/libopensc/pkcs15-sc-hsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c
+index 315cd74482..acdbee7054 100644
+--- a/src/libopensc/pkcs15-sc-hsm.c
++++ b/src/libopensc/pkcs15-sc-hsm.c
+@@ -277,7 +277,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pkcs15_card_t * 
p15card,
+       struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE];
+       struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE];
+       struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE];
+-      unsigned int cla,tag;
++      unsigned int cla = 0, tag = 0;
+       size_t taglen;
+       size_t lenchr = sizeof(cvc->chr);
+       size_t lencar = sizeof(cvc->car);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch
new file mode 100644
index 000000000..7826f7e71
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch
@@ -0,0 +1,34 @@
+From bde991b0fe4f0250243b0e4960978b1043c13b03 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <[email protected]>
+Date: Mon, 20 May 2024 21:31:38 +0200
+Subject: [PATCH] pkcs15init: Avoid using uninitialized memory
+
+Thanks Matteo Marini for report
+
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
+
+Signed-off-by: Jakub Jelen <[email protected]>
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/bde991b0fe4f0250243b0e4960978b1043c13b03]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/pkcs15init/profile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
+index 74fbdcec1..16c2ddfea 100644
+--- a/src/pkcs15init/profile.c
++++ b/src/pkcs15init/profile.c
+@@ -1807,7 +1807,7 @@ do_pin_storedlength(struct state *cur, int argc, char 
**argv)
+ static int
+ do_pin_flags(struct state *cur, int argc, char **argv)
+ {
+-      unsigned int    flags;
++      unsigned int    flags = 0;
+       int             i, r;
+ 
+       if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb 
b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 822e0ab97..9446237a0 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -26,6 +26,11 @@ SRC_URI = 
"git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-1454.patch \
            file://CVE-2024-8443-0001.patch \
            file://CVE-2024-8443-0002.patch \
+           file://CVE-2024-45615-0001.patch \
+           file://CVE-2024-45615-0002.patch \
+           file://CVE-2024-45615-0003.patch \
+           file://CVE-2024-45615-0004.patch \
+           file://CVE-2024-45615-0005.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#114887): 
https://lists.openembedded.org/g/openembedded-devel/message/114887
Mute This Topic: https://lists.openembedded.org/mt/110623770/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to