[oe] [meta-oe][kirkstone][PATCH 2/8] opensc: fix CVE-2024-8443

Tue, 14 Jan 2025 23:24:48 -0800 

From: Zhang Peng <[email protected]>

CVE-2024-8443:
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is 
vulnerable
to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter 
in all
versions up to, and including, 1.1.0 due to insufficient input sanitization and 
output
escaping. This makes it possible for authenticated attackers, with 
subscriber-level
access and above, to inject arbitrary web scripts in pages that will execute 
whenever
a user accesses an injected page. Please note that this was partially fixed in 
1.1.0
due to the missing authorization protection that was added.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-8433]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
[https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]

Signed-off-by: Zhang Peng <[email protected]>
---
 .../opensc/files/CVE-2024-8443-0001.patch     | 60 +++++++++++++++++++
 .../opensc/files/CVE-2024-8443-0002.patch     | 55 +++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  2 +
 3 files changed, 117 insertions(+)
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
new file mode 100644
index 000000000..7d80aba76
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
@@ -0,0 +1,60 @@
+From b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <[email protected]>
+Date: Mon, 12 Aug 2024 19:02:14 +0200
+Subject: [PATCH] openpgp: Do not accept non-matching key responses
+
+When generating RSA key pair using PKCS#15 init, the driver could accept
+responses relevant to ECC keys, which made further processing in the
+pkcs15-init failing/accessing invalid parts of structures.
+
+Thanks oss-fuzz!
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010
+
+Signed-off-by: Jakub Jelen <[email protected]>
+
+CVE: CVE-2024-8443
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/libopensc/card-openpgp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index fad32f0ce..f99ec0db9 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2877,6 +2877,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* 
data, size_t data_len,
+ 
+               /* RSA modulus */
+               if (tag == 0x0081) {
++                      if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
++                              LOG_FUNC_RETURN(card->ctx, 
SC_ERROR_UNKNOWN_DATA_RECEIVED);
++                      }
+                       if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len)  /* 
modulus_len is in bits */
+                               || key_info->u.rsa.modulus == NULL) {
+ 
+@@ -2892,6 +2895,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* 
data, size_t data_len,
+               }
+               /* RSA public exponent */
+               else if (tag == 0x0082) {
++                      if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
++                              LOG_FUNC_RETURN(card->ctx, 
SC_ERROR_UNKNOWN_DATA_RECEIVED);
++                      }
+                       if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len)  
/* exponent_len is in bits */
+                               || key_info->u.rsa.exponent == NULL) {
+ 
+@@ -2907,6 +2913,10 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* 
data, size_t data_len,
+               }
+               /* ECC public key */
+               else if (tag == 0x0086) {
++                      if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA &&
++                                      key_info->algorithm != 
SC_OPENPGP_KEYALGO_ECDH) {
++                              LOG_FUNC_RETURN(card->ctx, 
SC_ERROR_UNKNOWN_DATA_RECEIVED);
++                      }
+                       /* set the output data */
+                       /* len is ecpoint length + format byte
+                        * see section 7.2.14 of 3.3.1 specs */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
new file mode 100644
index 000000000..30a7e63a7
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
@@ -0,0 +1,55 @@
+From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <[email protected]>
+Date: Thu, 15 Aug 2024 11:13:47 +0200
+Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint
+
+Fix also surrounding code to return error (not just log it)
+when some step fails.
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933
+
+Signed-off-by: Jakub Jelen <[email protected]>
+
+CVE: CVE-2024-8443
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
+
+Signed-off-by: Zhang Peng <[email protected]>
+---
+ src/libopensc/card-openpgp.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index f99ec0db9..3957440de 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, 
time_t ctime,
+       /* update the blob containing fingerprints (00C5) */
+       sc_log(card->ctx, "Updating fingerprint blob 00C5.");
+       fpseq_blob = pgp_find_blob(card, 0x00C5);
+-      if (fpseq_blob == NULL)
+-              LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot 
find blob 00C5");
++      if (fpseq_blob == NULL) {
++              r = SC_ERROR_OUT_OF_MEMORY;
++              LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
++      }
++      if (20 * key_info->key_id > fpseq_blob->len) {
++              r = SC_ERROR_OBJECT_NOT_VALID;
++              LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large 
enough");
++      }
+ 
+       /* save the fingerprints sequence */
+       newdata = malloc(fpseq_blob->len);
+-      if (newdata == NULL)
+-              LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
+-                      "Not enough memory to update fingerprint blob 00C5");
++      if (newdata == NULL) {
++              r = SC_ERROR_OUT_OF_MEMORY;
++              LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update 
fingerprint blob 00C5");
++      }
+ 
+       memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
+       /* move p to the portion holding the fingerprint of the current key */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb 
b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 834b83d68..822e0ab97 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -24,6 +24,8 @@ SRC_URI = 
"git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2023-40661-6.patch \
            file://CVE-2023-40661-7.patch \
            file://CVE-2024-1454.patch \
+           file://CVE-2024-8443-0001.patch \
+           file://CVE-2024-8443-0002.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#114886): 
https://lists.openembedded.org/g/openembedded-devel/message/114886
Mute This Topic: https://lists.openembedded.org/mt/110623769/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to