From: Zhang Peng <[email protected]> CVE-2024-45618: A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45618] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d] [https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3] Signed-off-by: Zhang Peng <[email protected]> --- .../opensc/files/CVE-2024-45618-0001.patch | 42 +++++++++++++++++++ .../opensc/files/CVE-2024-45618-0002.patch | 42 +++++++++++++++++++ .../recipes-support/opensc/opensc_0.22.0.bb | 2 + 3 files changed, 86 insertions(+) create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch new file mode 100644 index 000000000..76311bd1a --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch @@ -0,0 +1,42 @@ +From 8632ec172beda894581d67eaa991e519a7874f7d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]> +Date: Wed, 17 Jul 2024 11:18:52 +0200 +Subject: [PATCH] pkcs15-tcos: Check return value of serial num conversion + +Thanks Matteo Marini for report +https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + +fuzz_pkcs15_encode/21 + +CVE: CVE-2024-45618 +Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d] + +Signed-off-by: Zhang Peng <[email protected]> +--- + src/libopensc/pkcs15-tcos.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c +index a78b9aee5..9f44de6e5 100644 +--- a/src/libopensc/pkcs15-tcos.c ++++ b/src/libopensc/pkcs15-tcos.c +@@ -530,10 +530,15 @@ int sc_pkcs15emu_tcos_init_ex( + /* get the card serial number */ + r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr); + if (r < 0) { +- sc_log(ctx, "unable to get ICCSN\n"); ++ sc_log(ctx, "unable to get ICCSN"); + return SC_ERROR_WRONG_CARD; + } +- sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0); ++ r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0); ++ if (r != SC_SUCCESS) { ++ sc_log(ctx, "serial number invalid"); ++ return SC_ERROR_INTERNAL; ++ } ++ + serial[19] = '\0'; + set_string(&p15card->tokeninfo->serial_number, serial); + +-- +2.34.1 diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch new file mode 100644 index 000000000..82e52e3cc --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch @@ -0,0 +1,42 @@ +From f9d68660f032ad4d7803431d5fc7577ea8792ac3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]> +Date: Wed, 17 Jul 2024 14:56:22 +0200 +Subject: [PATCH] pkcs15-lib: Report transport key error + +Thanks Matteo Marini for report +https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + +fuzz_pkcs15init/17, fuzz_pkcs15init/18 + +CVE: CVE-2024-45618 +Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3] + +Signed-off-by: Zhang Peng <[email protected]> +--- + src/pkcs15init/pkcs15-lib.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index f297a5f48..f4cbaa694 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -3767,13 +3767,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car + if (callbacks.get_key) { + rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize); + LOG_TEST_RET(ctx, rv, "Cannot get key"); +- } +- else if (rv >= 0) { ++ } else if (rv >= 0) { + if (*pinsize < defsize) + LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error"); + + memcpy(pinbuf, data.key_data, data.len); + *pinsize = data.len; ++ } else { ++ /* pinbuf and pinsize were not filled */ ++ LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error"); + } + + memset(&auth_info, 0, sizeof(auth_info)); +-- +2.34.1 diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index 89e2e0d5a..641d6a807 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb @@ -44,6 +44,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ file://CVE-2024-45617-0001.patch \ file://CVE-2024-45617-0002.patch \ file://CVE-2024-45617-0003.patch \ + file://CVE-2024-45618-0001.patch \ + file://CVE-2024-45618-0002.patch \ " # CVE-2021-34193 is a duplicate CVE covering the 5 individual -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114890): https://lists.openembedded.org/g/openembedded-devel/message/114890 Mute This Topic: https://lists.openembedded.org/mt/110623774/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
