packages/opensc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-42778 CVE-2021-42780

Browse Source
This commit is contained in:
Hugel 2022-05-09 16:30:27 +08:00
parent 25670d8abd
commit a43b4c0dbc
4 changed files with 167 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
backport-CVE-2021-42778-idprime-Use-temporary.patch Normal file
View File

@ -0,0 +1,54 @@
From f015746d22d249642c19674298a18ad824db0ed7 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 2 Dec 2020 13:15:11 +0100
Subject: [PATCH] idprime: Use temporary variable instead of messing up the
passed one
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185
---
src/libopensc/card-idprime.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/libopensc/card-idprime.c b/src/libopensc/card-idprime.c
index cf933140c1..8ca393d11d 100644
--- a/src/libopensc/card-idprime.c
+++ b/src/libopensc/card-idprime.c
@@ -418,6 +418,7 @@ static int idprime_get_token_name(sc_card_t* card, char** tname)
sc_path_t tinfo_path = {"\x00\x00", 2, 0, 0, SC_PATH_TYPE_PATH, {"", 0}};
sc_file_t *file = NULL;
u8 buf[2];
+ char *name;
int r;
LOG_FUNC_CALLED(card->ctx);
@@ -445,20 +446,22 @@ static int idprime_get_token_name(sc_card_t* card, char** tname)
}
sc_file_free(file);
- *tname = malloc(buf[1]);
- if (*tname == NULL) {
+ name = malloc(buf[1]);
+ if (name == NULL) {
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
}
- r = iso_ops->read_binary(card, 2, (unsigned char *)*tname, buf[1], 0);
+ r = iso_ops->read_binary(card, 2, (unsigned char *)name, buf[1], 0);
if (r < 1) {
- free(*tname);
+ free(name);
LOG_FUNC_RETURN(card->ctx, r);
}
- if ((*tname)[r-1] != '\0') {
- (*tname)[r-1] = '\0';
+ if (name[r-1] != '\0') {
+ name[r-1] = '\0';
}
+ *tname = name;
+
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
}

33
backport-CVE-2021-42780-tcos-Check-bounds-in-insert_pin.patch Normal file
View File

@ -0,0 +1,33 @@
From 5df913b7f57ad89b9832555d24c08d23a534311e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 8 Dec 2020 14:37:39 +0100
Subject: [PATCH] tcos: Check bounds in insert_pin()
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383
---
src/libopensc/pkcs15-tcos.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
index feeb7eb39d..74ae0cb92f 100644
--- a/src/libopensc/pkcs15-tcos.c
+++ b/src/libopensc/pkcs15-tcos.c
@@ -242,13 +242,13 @@ static int insert_pin(
"Searching for PIN-Ref %02X\n", pin_reference);
while ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {
int found = 0, fbz = -1;
- if (buf[0] != 0xA0)
+ if (r < 2 || buf[0] != 0xA0)
continue;
- for (i = 2; i < buf[1] + 2; i += 2 + buf[i + 1]) {
+ for (i = 2; i < buf[1] + 2 && (i + 2) < r; i += 2 + buf[i + 1]) {
if (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == pin_reference) {
++found;
}
- if (buf[i] == 0x90) {
+ if (buf[i] == 0x90 && (i + 1 + buf[i + 1]) < r) {
fbz = buf[i + 1 + buf[i + 1]];
}
}

73
backport-tcos-Reformat-insert_pin-for-readability.patch Normal file
View File

@ -0,0 +1,73 @@
From 69544553c36f0613f6283e0eeb3f9eb549825986 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 7 Dec 2020 17:44:34 +0100
Subject: [PATCH] tcos: Reformat insert_pin() for readability
---
src/libopensc/pkcs15-tcos.c | 35 ++++++++++++++++++++++-------------
1 file changed, 22 insertions(+), 13 deletions(-)
diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
index 1134ac11ba..feeb7eb39d 100644
--- a/src/libopensc/pkcs15-tcos.c
+++ b/src/libopensc/pkcs15-tcos.c
@@ -225,12 +225,14 @@ static int insert_pin(
pin_obj.auth_id.len = auth_id ? 0 : 1;
pin_obj.auth_id.value[0] = auth_id;
- if(card->type==SC_CARD_TYPE_TCOS_V3){
+ if(card->type == SC_CARD_TYPE_TCOS_V3) {
unsigned char buf[256];
int i, rec_no=0;
- if(pin_info.path.len>=2) pin_info.path.len-=2;
+ if (pin_info.path.len >= 2) {
+ pin_info.path.len -= 2;
+ }
sc_append_file_id(&pin_info.path, 0x5049);
- if(sc_select_file(card, &pin_info.path, NULL)!=SC_SUCCESS){
+ if (sc_select_file(card, &pin_info.path, NULL) != SC_SUCCESS) {
sc_log(ctx,
"Select(%s) failed\n",
sc_print_path(&pin_info.path));
@@ -238,17 +240,24 @@ static int insert_pin(
}
sc_log(ctx,
"Searching for PIN-Ref %02X\n", pin_reference);
- while((r=sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR))>0){
- int found=0, fbz=-1;
- if(buf[0]!=0xA0) continue;
- for(i=2;i<buf[1]+2;i+=2+buf[i+1]){
- if(buf[i]==0x83 && buf[i+1]==1 && buf[i+2]==pin_reference) ++found;
- if(buf[i]==0x90) fbz=buf[i+1+buf[i+1]];
+ while ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {
+ int found = 0, fbz = -1;
+ if (buf[0] != 0xA0)
+ continue;
+ for (i = 2; i < buf[1] + 2; i += 2 + buf[i + 1]) {
+ if (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == pin_reference) {
+ ++found;
+ }
+ if (buf[i] == 0x90) {
+ fbz = buf[i + 1 + buf[i + 1]];
+ }
+ }
+ if (found) {
+ pin_info.tries_left = fbz;
+ break;
}
- if(found) pin_info.tries_left=fbz;
- if(found) break;
}
- if(r<=0){
+ if (r <= 0) {
sc_log(ctx, "No EF_PWDD-Record found\n");
return 1;
}
@@ -259,6 +268,6 @@ static int insert_pin(
return 1;
}
- pin_info.tries_left=f->prop_attr[3];
+ pin_info.tries_left = f->prop_attr[3];
sc_file_free(f);
}

8
opensc.spec
View File

@ -3,7 +3,7 @@
Name: opensc Name: opensc
Version: 0.21.0 Version: 0.21.0
Release: 4 Release: 5
License: LGPLv2.1+ License: LGPLv2.1+
Summary: Smart card library and applications Summary: Smart card library and applications
URL: https://github.com/OpenSC/OpenSC/wiki URL: https://github.com/OpenSC/OpenSC/wiki
@ -30,6 +30,9 @@ Patch9: oberthur-One-more-overlooked-buffer-overflow.patch
Patch10: cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch Patch10: cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
Patch11: oberthur-Handle-1B-OIDs.patch Patch11: oberthur-Handle-1B-OIDs.patch
Patch12: Fix-ACLs-support.patch Patch12: Fix-ACLs-support.patch
Patch13: backport-CVE-2021-42778-idprime-Use-temporary.patch
Patch14: backport-tcos-Reformat-insert_pin-for-readability.patch
Patch15: backport-CVE-2021-42780-tcos-Check-bounds-in-insert_pin.patch
%description %description
OpenSC provides a set of libraries and utilities to work with smart cards. OpenSC provides a set of libraries and utilities to work with smart cards.
@ -148,6 +151,9 @@ make check
%{_datadir}/opensc/ %{_datadir}/opensc/
%changelog %changelog
* Mon May 9 2022 Hugel <gengqihu1@h-partners.com> - 0.21.0-5
- fix CVE-2021-42778 CVE-2021-42780
* Tue Aug 24 2021 wangjie <wangjie375@huawei.com> - 0.21.0-4 * Tue Aug 24 2021 wangjie <wangjie375@huawei.com> - 0.21.0-4
- fix oss-fuzz - fix oss-fuzz