Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
opensc.35665
opensc-CVE-2024-45616.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File opensc-CVE-2024-45616.patch of Package opensc.35665
commit 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1 Author: Veronika HanulĂková <vhanulik@redhat.com> Date: Thu Jul 11 15:27:19 2024 +0200 cardos: Fix uninitialized values Thanks Matteo Marini for report https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 fuzz_card/2 Index: opensc-0.13.0/src/libopensc/card-cardos.c =================================================================== --- opensc-0.13.0.orig/src/libopensc/card-cardos.c +++ opensc-0.13.0/src/libopensc/card-cardos.c @@ -59,14 +59,14 @@ static struct sc_atr_table cardos_atrs[] static int cardos_match_card(sc_card_t *card) { - unsigned char atr[SC_MAX_ATR_SIZE]; + unsigned char atr[SC_MAX_ATR_SIZE] = {0}; int i; i = _sc_match_atr(card, cardos_atrs, &card->type); if (i < 0) return 0; - memcpy(atr, card->atr.value, sizeof(atr)); + memcpy(atr, card->atr.value, card->atr.len); /* Do not change card type for CIE! */ if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) @@ -75,8 +75,8 @@ static int cardos_match_card(sc_card_t * return 1; if (card->type == SC_CARD_TYPE_CARDOS_M4_2) { int rv; - sc_apdu_t apdu; - u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + sc_apdu_t apdu = {0}; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0}; /* first check some additional ATR bytes */ if ((atr[4] != 0xff && atr[4] != 0x02) || (atr[6] != 0x10 && atr[6] != 0x0a) || @@ -92,7 +92,7 @@ static int cardos_match_card(sc_card_t * apdu.lc = 0; rv = sc_transmit_apdu(card, &apdu); SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, rv, "APDU transmit failed"); - if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) + if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2) return 0; if (apdu.resp[0] != atr[10] || apdu.resp[1] != atr[11]) Index: opensc-0.13.0/src/libopensc/card-oberthur.c =================================================================== --- opensc-0.13.0.orig/src/libopensc/card-oberthur.c +++ opensc-0.13.0/src/libopensc/card-oberthur.c @@ -153,7 +153,7 @@ auth_select_aid(struct sc_card *card) { struct sc_apdu apdu; unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE]; - struct auth_private_data *data = (struct auth_private_data *) card->drv_data; + struct auth_private_data *data = (struct auth_private_data *)card->drv_data; int rv, ii; unsigned char cm[7] = {0xA0,0x00,0x00,0x00,0x03,0x00,0x00}; struct sc_path tmp_path; @@ -179,6 +179,9 @@ auth_select_aid(struct sc_card *card) rv = sc_transmit_apdu(card, &apdu); SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, rv, "APDU transmit failed"); + if (apdu.resplen < 20) { + LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length"); + } card->serialnr.len = 4; memcpy(card->serialnr.value, apdu.resp+15, 4); Index: opensc-0.13.0/src/libopensc/card-mcrd.c =================================================================== --- opensc-0.13.0.orig/src/libopensc/card-mcrd.c +++ opensc-0.13.0/src/libopensc/card-mcrd.c @@ -767,10 +767,12 @@ do_select(sc_card_t * card, u8 kind, } } - if (p2 == 0x04 && apdu.resp[0] == 0x62) { + if (p2 == 0x04 && apdu.resplen > 2 && apdu.resp[0] == 0x62) { *file = sc_file_new(); if (!*file) SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY); + if (apdu.resp[1] > apdu.resplen - 2) + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA); /* EstEID v3.0 cards are buggy and sometimes return a double 0x62 tag */ if (card->type == SC_CARD_TYPE_MCRD_ESTEID_V30 && apdu.resp[2] == 0x62) process_fcp(card, *file, apdu.resp + 4, apdu.resp[3]); Index: opensc-0.13.0/src/libopensc/asn1.c =================================================================== --- opensc-0.13.0.orig/src/libopensc/asn1.c +++ opensc-0.13.0/src/libopensc/asn1.c @@ -62,7 +62,7 @@ int sc_asn1_read_tag(const u8 ** buf, si size_t left = buflen, len; unsigned int cla, tag, i; - if (left < 2) + if (left == 0 || !p || buflen == 0) return SC_ERROR_INVALID_ASN1_OBJECT; *buf = NULL; if (*p == 0xff || *p == 0) @@ -71,6 +71,8 @@ int sc_asn1_read_tag(const u8 ** buf, si /* parse tag byte(s) */ cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED); tag = *p & SC_ASN1_TAG_PRIMITIVE; + if (left < 1) + return SC_ERROR_INVALID_ASN1_OBJECT; p++; left--; if (tag == SC_ASN1_TAG_PRIMITIVE) { Index: opensc-0.13.0/src/libopensc/muscle.c =================================================================== --- opensc-0.13.0.orig/src/libopensc/muscle.c +++ opensc-0.13.0/src/libopensc/muscle.c @@ -89,7 +89,7 @@ int msc_partial_read_object(sc_card_t *c apdu.resp = data; r = sc_transmit_apdu(card, &apdu); SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed"); - if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00) + if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00 && dataLength <= apdu.resplen) return dataLength; if(apdu.sw1 == 0x9C) { if(apdu.sw2 == 0x07) { @@ -103,19 +103,22 @@ int msc_partial_read_object(sc_card_t *c } sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "got strange SWs: 0x%02X 0x%02X\n", apdu.sw1, apdu.sw2); - return dataLength; + SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED); } int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength) { - int r; + int r = 0; size_t i; size_t max_read_unit = MSC_MAX_READ; - for(i = 0; i < dataLength; i += max_read_unit) { + for(i = 0; i < dataLength; i += r) { r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit)); SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "Error in partial object read"); + if (r==0) + break; + } return dataLength; } Index: opensc-0.13.0/src/libopensc/card-entersafe.c =================================================================== --- opensc-0.13.0.orig/src/libopensc/card-entersafe.c +++ opensc-0.13.0/src/libopensc/card-entersafe.c @@ -1369,6 +1369,9 @@ static int entersafe_get_serialnr(sc_car SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed"); SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed"); + if (apdu.resplen != 8) + LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN"); + card->serialnr.len=serial->len=8; memcpy(card->serialnr.value,rbuf,8); memcpy(serial->value,rbuf,8);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor