Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian OpenSC Maintainers
, t...@security.debian.org
* CVE-2019-15945: Out-of-bounds access of an ASN.1 Bitstring.
(Closes: #939668)
* CVE-2019-15946: Out-of-bounds access of an ASN.1 Octet string.
(Closes: #939669)
* CVE-2019-19479: Incorrect read operation in the Setec driver.
(Closes: #947383)
* CVE-2019-20792: Double free in the Coolkey driver.
* CVE-2020-26570: Heap-based buffer overflow in the Oberthur driver.
(Closes: #972037)
* CVE-2020-26571: Stack-based buffer overflow in the GPK driver.
(Closes: #972036)
* CVE-2020-26572: Stack-based buffer overflow in the TCOS driver.
(Closes: #972035)
diff -Nru opensc-0.19.0/debian/changelog opensc-0.19.0/debian/changelog
--- opensc-0.19.0/debian/changelog 2018-09-30 23:26:03.0 +0300
+++ opensc-0.19.0/debian/changelog 2022-01-23 19:32:38.0 +0200
@@ -1,3 +1,22 @@
+opensc (0.19.0-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-15945: Out-of-bounds access of an ASN.1 Bitstring.
+(Closes: #939668)
+ * CVE-2019-15946: Out-of-bounds access of an ASN.1 Octet string.
+(Closes: #939669)
+ * CVE-2019-19479: Incorrect read operation in the Setec driver.
+(Closes: #947383)
+ * CVE-2019-20792: Double free in the Coolkey driver.
+ * CVE-2020-26570: Heap-based buffer overflow in the Oberthur driver.
+(Closes: #972037)
+ * CVE-2020-26571: Stack-based buffer overflow in the GPK driver.
+(Closes: #972036)
+ * CVE-2020-26572: Stack-based buffer overflow in the TCOS driver.
+(Closes: #972035)
+
+ -- Adrian Bunk Sun, 23 Jan 2022 19:32:38 +0200
+
opensc (0.19.0-1) unstable; urgency=medium
* New upstream release (Closes: 908363, 909444)
diff -Nru
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
---
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
1970-01-01 02:00:00.0 +0200
+++
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
2022-01-23 19:32:38.0 +0200
@@ -0,0 +1,42 @@
+From 0509b2f61ca948312a15d18712a130f7bffd512e Mon Sep 17 00:00:00 2001
+From: Frank Morgner
+Date: Tue, 27 Aug 2019 15:17:17 +0200
+Subject: fixed out of bounds access of ASN.1 Bitstring
+
+Credit to OSS-Fuzz
+---
+ src/libopensc/asn1.c | 12
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index 3262ed80..fd972238 100644
+--- a/src/libopensc/asn1.c
b/src/libopensc/asn1.c
+@@ -570,16 +570,20 @@ static int decode_bit_string(const u8 * inbuf, size_t
inlen, void *outbuf,
+ {
+ const u8 *in = inbuf;
+ u8 *out = (u8 *) outbuf;
+- int zero_bits = *in & 0x07;
+- size_t octets_left = inlen - 1;
+ int i, count = 0;
++ int zero_bits;
++ size_t octets_left;
+
+- memset(outbuf, 0, outlen);
+- in++;
+ if (outlen < octets_left)
+ return SC_ERROR_BUFFER_TOO_SMALL;
+ if (inlen < 1)
+ return SC_ERROR_INVALID_ASN1_OBJECT;
++
++ zero_bits = *in & 0x07;
++ octets_left = inlen - 1;
++ in++;
++ memset(outbuf, 0, outlen);
++
+ while (octets_left) {
+ /* 1st octet of input: ABCDEFGH, where A is the MSB */
+ /* 1st octet of output: HGFEDCBA, where A is the LSB */
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
--- opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
1970-01-01 02:00:00.0 +0200
+++ opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
2022-01-23 19:32:38.0 +0200
@@ -0,0 +1,36 @@
+From 28869a7bd4fd928b498638fff27b76b56e58f4d6 Mon Sep 17 00:00:00 2001
+From: Frank Morgner
+Date: Tue, 27 Aug 2019 15:27:15 +0200
+Subject: fixed compiler warning
+
+---
+ src/libopensc/asn1.c | 9 -
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index fd972238..10572292 100644
+--- a/src/libopensc/asn1.c
b/src/libopensc/asn1.c
+@@ -574,15 +574,14 @@ static int decode_bit_string(const u8 * inbuf, size_t
inlen, void *outbuf,
+ int zero_bits;
+ size_t octets_left;
+
+- if (outlen < octets_left)
+- return SC_ERROR_BUFFER_TOO_SMALL;
+ if (inlen < 1)
+ return SC_ERROR_INVALID_ASN1_OBJECT;
+-
++ memset(outbuf, 0, outlen);
+ zero_bits = *in & 0x07;
+- octets_left = inlen - 1;
+ in++;
+- memset(outbuf, 0, outlen);
++ octets_left = inlen - 1;
++ if (outlen < octets_left)
++ return SC_ERROR_BUFFER_TOO_SMALL;
+
+ while