From: Zhang Peng <[email protected]> CVE-2024-45620: A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45620] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168] [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd] [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18] Signed-off-by: Zhang Peng <[email protected]> --- .../opensc/files/CVE-2024-45620-0001.patch | 42 ++++++++++++++++ .../opensc/files/CVE-2024-45620-0002.patch | 34 +++++++++++++ .../opensc/files/CVE-2024-45620-0003.patch | 50 +++++++++++++++++++ .../recipes-support/opensc/opensc_0.22.0.bb | 3 ++ 4 files changed, 129 insertions(+) create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch new file mode 100644 index 000000000..bacf75960 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch @@ -0,0 +1,42 @@ +From a1bcc6516f43d570899820d259b71c53f8049168 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]> +Date: Thu, 18 Jul 2024 09:23:20 +0200 +Subject: [PATCH] pkcs15-starcos: Check length of file to be non-zero + +Thanks Matteo Marini for report +https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + +fuzz_pkcs15init/20 + +CVE: CVE-2024-45620 +Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168] + +Signed-off-by: Zhang Peng <[email protected]> +--- + src/pkcs15init/pkcs15-starcos.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/pkcs15init/pkcs15-starcos.c b/src/pkcs15init/pkcs15-starcos.c +index bde7413a46..267ad2b04a 100644 +--- a/src/pkcs15init/pkcs15-starcos.c ++++ b/src/pkcs15init/pkcs15-starcos.c +@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card, + return r; + len = tfile->size; + sc_file_free(tfile); ++ if (len == 0) ++ return SC_ERROR_INTERNAL; + buf = malloc(len); + if (!buf) + return SC_ERROR_OUT_OF_MEMORY; +@@ -682,7 +684,7 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card, + if (num_keys == 0xff) + num_keys = 0; + /* encode public key */ +- keylen = starcos_encode_pukey(rsa, NULL, kinfo); ++ keylen = starcos_encode_pukey(rsa, NULL, kinfo); + if (!keylen) { + free(buf); + return SC_ERROR_INTERNAL; +-- +2.34.1 diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch new file mode 100644 index 000000000..65d596b92 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch @@ -0,0 +1,34 @@ +From 6baa19596598169d652659863470a60c5ed79ecd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]> +Date: Thu, 18 Jul 2024 09:35:23 +0200 +Subject: [PATCH] iasecc-sdo: Check length of data before dereferencing + +Thanks Matteo Marini for report +https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + +fuzz_pkcs15init/21 + +CVE: CVE-2024-45620 +Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd] + +Signed-off-by: Zhang Peng <[email protected]> +--- + src/libopensc/iasecc-sdo.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c +index 417b6dd57d..98402a4e3f 100644 +--- a/src/libopensc/iasecc-sdo.c ++++ b/src/libopensc/iasecc-sdo.c +@@ -729,6 +729,9 @@ iasecc_sdo_parse(struct sc_card *card, unsigned char *data, size_t data_len, str + + LOG_FUNC_CALLED(ctx); + ++ if (data == NULL || data_len < 2) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ + if (*data == IASECC_SDO_TEMPLATE_TAG) { + size_size = iasecc_parse_size(data + 1, &size); + LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE"); +-- +2.34.1 diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch new file mode 100644 index 000000000..5bc8805e6 --- /dev/null +++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch @@ -0,0 +1,50 @@ +From 468a314d76b26f724a551f2eb339dd17c856cf18 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <[email protected]> +Date: Thu, 18 Jul 2024 11:03:46 +0200 +Subject: [PATCH] iasecc-sdo: Check length of data when parsing + +Thanks Matteo Marini for report +https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + +fuzz_pkcs15init/27,29 + +CVE: CVE-2024-45620 +Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18] + +Signed-off-by: Zhang Peng <[email protected]> +--- + src/libopensc/iasecc-sdo.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c +index 4d6be7ad4..bdbd5ab17 100644 +--- a/src/libopensc/iasecc-sdo.c ++++ b/src/libopensc/iasecc-sdo.c +@@ -334,16 +334,25 @@ iasecc_se_parse(struct sc_card *card, unsigned char *data, size_t data_len, stru + + LOG_FUNC_CALLED(ctx); + ++ if (data_len < 1) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ + if (*data == IASECC_SDO_TEMPLATE_TAG) { + size_size = iasecc_parse_size(data + 1, &size); + LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE"); + ++ if (data_len - 1 < size) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ + data += size_size + 1; + data_len = size; + sc_log(ctx, + "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u", + size, size_size); + ++ if (data_len < 3) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ + if (*data != IASECC_SDO_TAG_HEADER) + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); + +-- +2.34.1 diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb index 5e840555b..52e29a5d9 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb @@ -52,6 +52,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \ file://CVE-2024-45619-0004.patch \ file://CVE-2024-45619-0005.patch \ file://CVE-2024-45619-0006.patch \ + file://CVE-2024-45620-0001.patch \ + file://CVE-2024-45620-0002.patch \ + file://CVE-2024-45620-0003.patch \ " # CVE-2021-34193 is a duplicate CVE covering the 5 individual -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#114892): https://lists.openembedded.org/g/openembedded-devel/message/114892 Mute This Topic: https://lists.openembedded.org/mt/110623776/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
