[Buildroot] [git commit] package/opensc: fix CVE-2023-2977
Yann E. MORIN
yann.morin.1998 at free.fr
Wed Sep 20 17:41:55 UTC 2023
commit: https://git.buildroot.net/buildroot/commit/?id=9c4c3c4c9c0f4e1bf8b98e6465832c05d85317c2
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
A vulnerability was found in OpenSC. This security flaw cause a buffer
overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
attacker can supply a smart card package with malformed ASN1 context.
The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
tags, where remaining length is wrongly caculated due to moved starting
pointer. This leads to possible heap-based buffer oob read. In cases
where ASAN is enabled while compiling this causes a crash. Further info
leak or more damage is possible.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
---
...gth-calculation-to-fix-buffer-overrun-bug.patch | 51 ++++++++++++++++++++++
package/opensc/opensc.mk | 3 ++
2 files changed, 54 insertions(+)
diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
new file mode 100644
index 0000000000..079f960b59
--- /dev/null
+++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
@@ -0,0 +1,51 @@
+From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
+From: fullwaywang <fullwaywang at tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
+ overrun bug. Fixes #2785
+
+Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ sc_apdu_t apdu;
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
+ int r;
+- const u8 *p = rbuf, *q;
++ const u8 *p = rbuf, *q, *pp;
+ size_t len, tlen = 0, ilen = 0;
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ return 0;
+
+ while (len != 0) {
+- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+- if (p == NULL)
++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++ if (pp == NULL)
+ return 0;
+ if (card->type == SC_CARD_TYPE_CARDOS_M4_3) {
+ /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */
+ /* and Package Number 0x07 */
+- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ if (q == NULL || ilen != 4)
+ return 0;
+ if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) {
+ /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */
+ /* and Package Number 0x02 */
+- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ if (q == NULL || ilen != 4)
+ return 0;
+ if (q[0] == 0x02)
diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
index 32f0fdaa8b..823bc50102 100644
--- a/package/opensc/opensc.mk
+++ b/package/opensc/opensc.mk
@@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite
OPENSC_INSTALL_STAGING = YES
OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
+# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
+OPENSC_IGNORE_CVES += CVE-2023-2977
+
$(eval $(autotools-package))
More information about the buildroot
mailing list