[oe] [meta-oe][kirkstone][PATCH 5/8] opensc: fix CVE-2024-45617

[Zhang, Peng (Paul) (CN) via lists.openembedded.org]

From: Zhang Peng <peng.zhang1...@windriver.com>

CVE-2024-45617:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, 
and CTK.
An attacker could use a crafted USB Device or Smart Card, which would present 
the system
with a specially crafted response to APDUs. Insufficient or missing checking of 
return
values of functions leads to unexpected work with variables that have not been 
initialized.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45617]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
[https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]

Signed-off-by: Zhang Peng <peng.zhang1...@windriver.com>
---
 .../opensc/files/CVE-2024-45617-0001.patch    | 38 +++++++++++++++++++
 .../opensc/files/CVE-2024-45617-0002.patch    | 33 ++++++++++++++++
 .../opensc/files/CVE-2024-45617-0003.patch    | 33 ++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  3 ++
 4 files changed, 107 insertions(+)
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
 create mode 100644 
meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
new file mode 100644
index 000000000..e750c7b51
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
@@ -0,0 +1,38 @@
+From fdb9e903eb124b6b18a5a9350a26eceb775585bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanu...@redhat.com>
+Date: Tue, 16 Jul 2024 14:05:36 +0200
+Subject: [PATCH]  cac: Check return value when selecting AID
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/14
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1...@windriver.com>
+---
+ src/libopensc/card-cac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 4c3bc89bd..f910f64d3 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card, 
cac_private_data_t *priv, const u8 *ai
+       /* Call without OID set will just select the AID without subsequent
+        * OID selection, which we need to figure out just now
+        */
+-      cac_select_file_by_type(card, &new_object.path, NULL);
++      r = cac_select_file_by_type(card, &new_object.path, NULL);
++      LOG_TEST_RET(card->ctx, r, "Cannot select AID");
+       r = cac_get_properties(card, &prop);
+-      if (r < 0)
+-              return SC_ERROR_INTERNAL;
++      LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
+ 
+       for (i = 0; i < prop.num_objects; i++) {
+               /* don't fail just because we have more certs than we can 
support */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
new file mode 100644
index 000000000..617f95d45
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
@@ -0,0 +1,33 @@
+From 21d869b77792b6f189eebf373e399747177d99e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanu...@redhat.com>
+Date: Tue, 16 Jul 2024 14:29:01 +0200
+Subject: [PATCH] cardos: Return error when response length is 0
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/18
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1...@windriver.com>
+---
+ src/libopensc/card-cardos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 9906f6c72..6f10943a5 100644
+--- a/src/libopensc/card-cardos.c
++++ b/src/libopensc/card-cardos.c
+@@ -1278,7 +1278,7 @@ cardos_lifecycle_get(sc_card_t *card, int *mode)
+       LOG_TEST_RET(card->ctx, r, "Card returned error");
+ 
+       if (apdu.resplen < 1) {
+-              LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
++              LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, 
"Lifecycle byte not in response");
+       }
+ 
+       r = SC_SUCCESS;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch 
b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
new file mode 100644
index 000000000..cfb16b31b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
@@ -0,0 +1,33 @@
+From efbc14ffa190e3e0ceecceb479024bb778b0ab68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanu...@redhat.com>
+Date: Wed, 17 Jul 2024 10:39:52 +0200
+Subject: [PATCH] card-jpki: Check number of read bytes
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_encode/18
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport 
[https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]
+
+Signed-off-by: Zhang Peng <peng.zhang1...@windriver.com>
+---
+ src/libopensc/card-jpki.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-jpki.c b/src/libopensc/card-jpki.c
+index 6e4d0f3165..71339491d1 100644
+--- a/src/libopensc/card-jpki.c
++++ b/src/libopensc/card-jpki.c
+@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
+               u8 buf[4];
+               rc = sc_read_binary(card, 0, buf, 4, 0);
+               LOG_TEST_RET(card->ctx, rc, "SW Check failed");
++              if (rc < 4)
++                      LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, 
"Received data too short");
+               file = sc_file_new();
+               if (!file) {
+                       LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb 
b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index ec0149670..89e2e0d5a 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -41,6 +41,9 @@ SRC_URI = 
"git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45616-0008.patch \
            file://CVE-2024-45616-0009.patch \
            file://CVE-2024-45616-0010.patch \
+           file://CVE-2024-45617-0001.patch \
+           file://CVE-2024-45617-0002.patch \
+           file://CVE-2024-45617-0003.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#114889): 
https://lists.openembedded.org/g/openembedded-devel/message/114889
Mute This Topic: https://lists.openembedded.org/mt/110623773/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-