!63 [sync] PR-61: fix CVE-2023-40661

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

0007-opensc-CVE-2023-40661-1of12.patch

@@ -0,0 +1,23 @@
+From 578aed8391ef117ca64a9e0cba8e5c264368a0ec Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 8 Dec 2022 00:27:18 +0100
+Subject: [PATCH] sc_pkcs15init_rmdir: prevent out of bounds write
+
+fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927
+---
+ src/pkcs15init/pkcs15-lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 91cee37310..3df03c6e1f 100644
+--- a/src/pkcs15init/pkcs15-lib.c
++++ b/src/pkcs15init/pkcs15-lib.c
+@@ -685,6 +685,8 @@ sc_pkcs15init_rmdir(struct sc_pkcs15_card *p15card, struct sc_profile *profile,
+ 
+ 		path = df->path;
+ 		path.len += 2;
++		if (path.len > SC_MAX_PATH_SIZE)
++			return SC_ERROR_INTERNAL;
+ 
+ 		nfids = r / 2;
+ 		while (r >= 0 && nfids--) {

0008-opensc-CVE-2023-40661-2of12.patch

@@ -0,0 +1,25 @@
+From df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 Mon Sep 17 00:00:00 2001
+From: Veronika Hanulikova <xhanulik@fi.muni.cz>
+Date: Fri, 10 Feb 2023 11:47:34 +0100
+Subject: [PATCH] Check array bounds
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312
+---
+ src/libopensc/muscle.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c
+index 61a4ec24d8..9d01e0c113 100644
+--- a/src/libopensc/muscle.c
++++ b/src/libopensc/muscle.c
+@@ -181,6 +181,9 @@ int msc_partial_update_object(sc_card_t *card, msc_id objectId, int offset, cons
+ 	sc_apdu_t apdu;
+ 	int r;
+ 
++	if (dataLength + 9 > MSC_MAX_APDU)
++		return SC_ERROR_INVALID_ARGUMENTS;
++
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00);
+ 	apdu.lc = dataLength + 9;
+ 	if (card->ctx->debug >= 2)

0009-opensc-CVE-2023-40661-3of12.patch

@@ -0,0 +1,37 @@
+From 5631e9843c832a99769def85b7b9b68b4e3e3959 Mon Sep 17 00:00:00 2001
+From: Veronika Hanulikova <xhanulik@fi.muni.cz>
+Date: Fri, 3 Mar 2023 16:07:38 +0100
+Subject: [PATCH] Check length of string before making copy
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
+---
+ src/pkcs15init/profile.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
+index 2b793b0282..3bad1e8536 100644
+--- a/src/pkcs15init/profile.c
++++ b/src/pkcs15init/profile.c
+@@ -1575,7 +1575,10 @@ do_acl(struct state *cur, int argc, char **argv)
+ 	while (argc--) {
+ 		unsigned int	op, method, id;
+ 
++		if (strlen(*argv) >= sizeof(oper))
++			goto bad;
+ 		strlcpy(oper, *argv++, sizeof(oper));
++
+ 		if ((what = strchr(oper, '=')) == NULL)
+ 			goto bad;
+ 		*what++ = '\0';
+@@ -2288,6 +2291,9 @@ get_authid(struct state *cur, const char *value,
+ 		return get_uint(cur, value, type);
+ 	}
+ 
++	if (strlen(value) >= sizeof(temp))
++		return 1;
++
+ 	n = strcspn(value, "0123456789x");
+ 	strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp));
+ 

0010-opensc-CVE-2023-40661-4of12.patch

@@ -0,0 +1,396 @@
+From aadd82bb071e574fc57263a103e3bf06ebbd8de7 Mon Sep 17 00:00:00 2001
+From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>
+Date: Sat, 21 Jan 2023 22:15:10 +0100
+Subject: [PATCH] Handle reader limits for SC Card unwrap operations
+
+Fixes #2514
+---
+ src/libopensc/card-sc-hsm.c            | 181 ++++++++++++++-----------
+ src/libopensc/reader-pcsc.c            |  91 ++++++++-----
+ src/tests/fuzzing/fuzz_pkcs15_decode.c |   3 +-
+ src/tests/fuzzing/fuzz_pkcs15_encode.c |   2 +-
+ 4 files changed, 159 insertions(+), 118 deletions(-)
+
+diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
+index 60d5895127..1b707f08df 100644
+--- a/src/libopensc/card-sc-hsm.c
++++ b/src/libopensc/card-sc-hsm.c
+@@ -145,9 +145,7 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
+ 
+ 	if (file_out == NULL) {				// Versions before 0.16 of the SmartCard-HSM do not support P2='0C'
+ 		rv = sc_hsm_select_file_ex(card, in_path, forceselect, &file);
+-		if (file != NULL) {
+-			sc_file_free(file);
+-		}
++		sc_file_free(file);
+ 		return rv;
+ 	}
+ 
+@@ -181,9 +179,7 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
+ 			LOG_TEST_RET(card->ctx, rv, "Could not select SmartCard-HSM application");
+ 
+ 			if (priv) {
+-				if (priv->dffcp != NULL) {
+-					sc_file_free(priv->dffcp);
+-				}
++				sc_file_free(priv->dffcp);
+ 				// Cache the FCP returned when selecting the applet
+ 				sc_file_dup(&priv->dffcp, *file_out);
+ 			}
+@@ -730,12 +726,12 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
+ 			u8 recvbuf[SC_MAX_APDU_BUFFER_SIZE];
+ #ifdef ENABLE_SM
+ 			if (card->sm_ctx.sm_mode != SM_MODE_TRANSMIT) {
+-				sc_log(card->ctx, 
++				sc_log(card->ctx,
+ 						"Session PIN generation only supported in SM");
+ 				LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ 			}
+ #else
+-			sc_log(card->ctx, 
++			sc_log(card->ctx,
+ 					"Session PIN generation only supported in SM");
+ 			LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ #endif
+@@ -746,7 +742,7 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
+ 			apdu.le = 0;
+ 			if (sc_transmit_apdu(card, &apdu) != SC_SUCCESS
+ 					|| sc_check_sw(card, apdu.sw1, apdu.sw2) != SC_SUCCESS) {
+-				sc_log(card->ctx, 
++				sc_log(card->ctx,
+ 						"Generating session PIN failed");
+ 				LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ 			}
+@@ -756,12 +752,12 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
+ 							apdu.resplen);
+ 					data->pin2.len = apdu.resplen;
+ 				} else {
+-					sc_log(card->ctx, 
++					sc_log(card->ctx,
+ 							"Buffer too small for session PIN");
+ 				}
+ 			}
+ 		} else {
+-			sc_log(card->ctx, 
++			sc_log(card->ctx,
+ 					"Session PIN not supported for this PIN (0x%02X)",
+ 					data->pin_reference);
+ 		}
+@@ -848,47 +844,61 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+ 	}
+ 
+-	p = cmdbuff;
+-	*p++ = 0x54;
+-	*p++ = 0x02;
+-	*p++ = (idx >> 8) & 0xFF;
+-	*p++ = idx & 0xFF;
+-	*p++ = 0x53;
+-	if (count < 128) {
+-		*p++ = (u8) count;
+-		len = 6;
+-	} else if (count < 256) {
+-		*p++ = 0x81;
+-		*p++ = (u8) count;
+-		len = 7;
+-	} else {
+-		*p++ = 0x82;
+-		*p++ = (count >> 8) & 0xFF;
+-		*p++ = count & 0xFF;
+-		len = 8;
+-	}
++	size_t bytes_left = count;
++	// 8 bytes are required for T54(4) and T53(4)
++	size_t blk_size = card->max_send_size - 8;
++	size_t to_send = 0;
++	size_t offset = (size_t) idx;
++	do {
++		len = 0;
++		to_send = bytes_left >= blk_size ? blk_size : bytes_left;
++		p = cmdbuff;
++		// ASN1 0x54 offset
++		*p++ = 0x54;
++		*p++ = 0x02;
++		*p++ = (offset >> 8) & 0xFF;
++		*p++ = offset & 0xFF;
++		// ASN1 0x53 to_send
++		*p++ = 0x53;
++		if (to_send < 128) {
++			*p++ = (u8)to_send;
++			len = 6;
++		} else if (to_send < 256) {
++			*p++ = 0x81;
++			*p++ = (u8)to_send;
++			len = 7;
++		} else {
++			*p++ = 0x82;
++			*p++ = (to_send >> 8) & 0xFF;
++			*p++ = to_send & 0xFF;
++			len = 8;
++		}
+ 
+-	if (buf != NULL)
+-		memcpy(p, buf, count);
+-	len += count;
++		if (buf != NULL)
++			memcpy(p, buf+offset, to_send);
++		len += to_send;
+ 
+-	sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xD7, fid >> 8, fid & 0xFF);
+-	apdu.data = cmdbuff;
+-	apdu.datalen = len;
+-	apdu.lc = len;
++		sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xD7, fid >> 8, fid & 0xFF);
++		apdu.data = cmdbuff;
++		apdu.datalen = len;
++		apdu.lc = len;
+ 
+-	r = sc_transmit_apdu(card, &apdu);
+-	free(cmdbuff);
+-	LOG_TEST_RET(ctx, r, "APDU transmit failed");
++		r = sc_transmit_apdu(card, &apdu);
++		LOG_TEST_GOTO_ERR(ctx, r, "APDU transmit failed");
++		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
++		LOG_TEST_GOTO_ERR(ctx, r, "Check SW error");
+ 
+-	r =  sc_check_sw(card, apdu.sw1, apdu.sw2);
+-	LOG_TEST_RET(ctx, r, "Check SW error");
++		bytes_left -= to_send;
++		offset += to_send;
++	} while (0 < bytes_left);
++
++err:
++	free(cmdbuff);
+ 
+ 	LOG_FUNC_RETURN(ctx, count);
+ }
+ 
+ 
+-
+ static int sc_hsm_update_binary(sc_card_t *card,
+ 			       unsigned int idx, const u8 *buf, size_t count,
+ 			       unsigned long flags)
+@@ -1227,7 +1237,7 @@ static int sc_hsm_initialize(sc_card_t *card, sc_cardctl_sc_hsm_init_param_t *pa
+ 		return SC_ERROR_INVALID_ARGUMENTS;
+ 	}
+ 	*p++ = 0x81;	// User PIN
+-	*p++ = (u8) params->user_pin_len;
++	*p++ = (u8)params->user_pin_len;
+ 	memcpy(p, params->user_pin, params->user_pin_len);
+ 	p += params->user_pin_len;
+ 
+@@ -1400,12 +1410,11 @@ static int sc_hsm_unwrap_key(sc_card_t *card, sc_cardctl_sc_hsm_wrapped_key_t *p
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+-	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT, 0x74, params->key_id, 0x93);
+-	apdu.cla = 0x80;
+-	apdu.lc = params->wrapped_key_length;
+-	apdu.data = params->wrapped_key;
+-	apdu.datalen = params->wrapped_key_length;
++	r = sc_hsm_write_ef(card, 0x2F10, 0, params->wrapped_key, params->wrapped_key_length);
++	LOG_TEST_RET(card->ctx, r, "Create EF failed");
+ 
++	sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x74, params->key_id, 0x93);
++	apdu.cla = 0x80;
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(ctx, r, "APDU transmit failed");
+ 
+@@ -1765,17 +1774,10 @@ static int sc_hsm_init(struct sc_card *card)
+ 	int flags,ext_flags;
+ 	sc_file_t *file = NULL;
+ 	sc_path_t path;
+-	sc_hsm_private_data_t *priv = card->drv_data;
++	sc_hsm_private_data_t *priv = NULL;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+-	if (!priv) {
+-		priv = calloc(1, sizeof(sc_hsm_private_data_t));
+-		if (!priv)
+-			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+-		card->drv_data = priv;
+-	}
+-
+ 	flags = SC_ALGORITHM_RSA_RAW|SC_ALGORITHM_RSA_PAD_PSS|SC_ALGORITHM_ONBOARD_KEY_GEN;
+ 
+ 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
+@@ -1807,6 +1809,46 @@ static int sc_hsm_init(struct sc_card *card)
+ 
+ 	card->caps |= SC_CARD_CAP_RNG|SC_CARD_CAP_APDU_EXT|SC_CARD_CAP_ISO7816_PIN_INFO;
+ 
++	// APDU Buffer limits
++	//   JCOP 2.4.1r3           1462
++	//   JCOP 2.4.2r3           1454
++	//   JCOP 3                 1232
++	//   MicroSD with JCOP 3    478 / 506 - handled in reader-pcsc.c
++	//   Reiner SCT             1014 - handled in reader-pcsc.c
++
++	// Use JCOP 3 card limits for sending
++	card->max_send_size = 1232;
++	// Assume that card supports sending with extended length APDU and without limit
++	card->max_recv_size = 0;
++
++	if (card->type == SC_CARD_TYPE_SC_HSM_SOC
++			|| card->type == SC_CARD_TYPE_SC_HSM_GOID) {
++		card->max_recv_size = 0x0630;	// SoC Proxy forces this limit
++	} else {
++		// Adjust to the limits set by the reader
++		if (card->reader->max_send_size < card->max_send_size) {
++			if (18 >= card->reader->max_send_size)
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_INCONSISTENT_CONFIGURATION);
++
++			// 17 byte header and TLV because of odd ins in UPDATE BINARY
++			card->max_send_size = card->reader->max_send_size - 17;
++		}
++
++		if (0 < card->reader->max_recv_size) {
++			if (3 >= card->reader->max_recv_size)
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_INCONSISTENT_CONFIGURATION);
++			card->max_recv_size = card->reader->max_recv_size - 2;
++		}
++	}
++
++	priv = card->drv_data;
++	if (!priv) {
++		priv = calloc(1, sizeof(sc_hsm_private_data_t));
++		if (!priv)
++			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
++		card->drv_data = priv;
++	}
++
+ 	sc_path_set(&path, SC_PATH_TYPE_DF_NAME, sc_hsm_aid.value, sc_hsm_aid.len, 0, 0);
+ 	if (sc_hsm_select_file_ex(card, &path, 0, &file) == SC_SUCCESS
+ 			&& file && file->prop_attr && file->prop_attr_len >= 2) {
+@@ -1839,25 +1881,6 @@ static int sc_hsm_init(struct sc_card *card)
+ 	}
+ 	sc_file_free(file);
+ 
+-	// APDU Buffer limits
+-	//   JCOP 2.4.1r3           1462
+-	//   JCOP 2.4.2r3           1454
+-	//   JCOP 3                 1232
+-	//   MicroSD with JCOP 3    478 / 506
+-	//   Reiner SCT             1014
+-
+-	card->max_send_size = 1232 - 17;	// 1232 buffer size - 17 byte header and TLV because of odd ins in UPDATE BINARY
+-
+-	if (!strncmp("Secure Flash Card", card->reader->name, 17)) {
+-		card->max_send_size = 478 - 17;
+-		card->max_recv_size = 506 - 2;
+-	} else if (card->type == SC_CARD_TYPE_SC_HSM_SOC
+-			|| card->type == SC_CARD_TYPE_SC_HSM_GOID) {
+-		card->max_recv_size = 0x0630;	// SoC Proxy forces this limit
+-	} else {
+-		card->max_recv_size = 0;		// Card supports sending with extended length APDU and without limit
+-	}
+-
+ 	priv->EF_C_DevAut = NULL;
+ 	priv->EF_C_DevAut_len = 0;
+ 
+@@ -1883,13 +1906,11 @@ static int sc_hsm_finish(sc_card_t * card)
+ #ifdef ENABLE_SM
+ 	sc_sm_stop(card);
+ #endif
+-	if (priv->serialno) {
++	if (priv) {
+ 		free(priv->serialno);
+-	}
+-	if (priv->dffcp) {
+ 		sc_file_free(priv->dffcp);
++		free(priv->EF_C_DevAut);
+ 	}
+-	free(priv->EF_C_DevAut);
+ 	free(priv);
+ 
+ 	return SC_SUCCESS;
+diff --git a/src/libopensc/reader-pcsc.c b/src/libopensc/reader-pcsc.c
+index 40bfd293d3..04d5ac8fdd 100644
+--- a/src/libopensc/reader-pcsc.c
++++ b/src/libopensc/reader-pcsc.c
+@@ -311,7 +311,7 @@ static int pcsc_transmit(sc_reader_t *reader, sc_apdu_t *apdu)
+ 	 * The buffer for the returned data needs to be at least 2 bytes
+ 	 * larger than the expected data length to store SW1 and SW2. */
+ 	rsize = rbuflen = apdu->resplen <= 256 ? 258 : apdu->resplen + 2;
+-	rbuf     = malloc(rbuflen);
++	rbuf = malloc(rbuflen);
+ 	if (rbuf == NULL) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
+ 		goto out;
+@@ -424,7 +424,7 @@ static int refresh_attributes(sc_reader_t *reader)
+ 		if (priv->reader_state.cbAtr > SC_MAX_ATR_SIZE)
+ 			return SC_ERROR_INTERNAL;
+ 
+-		/* Some cards have a different cold (after a powerup) and warm (after a reset) ATR  */
++		/* Some cards have a different cold (after a powerup) and warm (after a reset) ATR */
+ 		if (memcmp(priv->reader_state.rgbAtr, reader->atr.value, priv->reader_state.cbAtr) != 0) {
+ 			reader->atr.len = priv->reader_state.cbAtr;
+ 			memcpy(reader->atr.value, priv->reader_state.rgbAtr, reader->atr.len);
+@@ -556,7 +556,7 @@ static int pcsc_reconnect(sc_reader_t * reader, DWORD action)
+ 			priv->gpriv->connect_exclusive ? SCARD_SHARE_EXCLUSIVE : SCARD_SHARE_SHARED,
+ 			protocol, action, &active_proto);
+ 
+-	
++
+ 	PCSC_TRACE(reader, "SCardReconnect returned", rv);
+ 	if (rv != SCARD_S_SUCCESS) {
+ 		PCSC_TRACE(reader, "SCardReconnect failed", rv);
+@@ -593,7 +593,7 @@ static void initialize_uid(sc_reader_t *reader)
+ 			sc_log_hex(reader->ctx, "UID",
+ 					reader->uid.value, reader->uid.len);
+ 		} else {
+-			sc_log(reader->ctx,  "unable to get UID");
++			sc_log(reader->ctx, "unable to get UID");
+ 		}
+ 	}
+ }
+@@ -1240,11 +1240,11 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle)
+ 					sc_log(ctx, "Reader has a display: %04X", caps->wLcdLayout);
+ 					reader->capabilities |= SC_READER_CAP_DISPLAY;
+ 				}
+-				else   {
++				else {
+ 					sc_log(ctx, "Reader does not have a display.");
+ 				}
+ 			}
+-			else   {
++			else {
+ 				sc_log(ctx,
+ 						"Returned PIN properties structure has bad length (%lu/%"SC_FORMAT_LEN_SIZE_T"u)",
+ 						(unsigned long)rcount,
+@@ -1304,7 +1325,7 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle)
+ 		}
+ 
+ 		rcount = sizeof i;
+-		if(gpriv->SCardGetAttrib(card_handle, SCARD_ATTR_VENDOR_IFD_VERSION,
++		if (gpriv->SCardGetAttrib(card_handle, SCARD_ATTR_VENDOR_IFD_VERSION,
+ 					(u8 *) &i, &rcount) == SCARD_S_SUCCESS
+ 				&& rcount == sizeof i) {
+ 			reader->version_major = (i >> 24) & 0xFF;
+@@ -1314,7 +1335,7 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle)
+ }
+ 
+ int pcsc_add_reader(sc_context_t *ctx,
+-	   	char *reader_name, size_t reader_name_len,
++		char *reader_name, size_t reader_name_len,
+ 		sc_reader_t **out_reader)
+ {
+ 	int ret = SC_ERROR_INTERNAL;
+@@ -1574,7 +1595,7 @@ static int pcsc_wait_for_event(sc_context_t *ctx, unsigned int event_mask, sc_re
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
+-	if (!event_reader && !event && reader_states)   {
++	if (!event_reader && !event && reader_states) {
+ 		sc_log(ctx, "free allocated reader states");
+ 		free(*reader_states);
+ 		*reader_states = NULL;
+@@ -1958,7 +1979,7 @@ static int part10_build_modify_pin_block(struct sc_reader *reader, u8 * buf, siz
+ 	sc_apdu_t *apdu = data->apdu;
+ 	u8 tmp;
+ 	unsigned int tmp16;
+-	PIN_MODIFY_STRUCTURE *pin_modify  = (PIN_MODIFY_STRUCTURE *)buf;
++	PIN_MODIFY_STRUCTURE *pin_modify = (PIN_MODIFY_STRUCTURE *)buf;
+ 	struct sc_pin_cmd_pin *pin_ref =
+ 		data->flags & SC_PIN_CMD_IMPLICIT_CHANGE ?
+ 		&data->pin2 : &data->pin1;

0011-opensc-CVE-2023-40661-5of12.patch

@@ -0,0 +1,61 @@
+From dd138d0600a1acd7991989127f36827e5836b24e Mon Sep 17 00:00:00 2001
+From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>
+Date: Thu, 16 Mar 2023 22:12:49 +0100
+Subject: [PATCH] Fixed loop in sc_hsm_write_ef, handle offset into buf and
+ into EF separately
+
+---
+ src/libopensc/card-sc-hsm.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
+index 1b707f08df..c100a87c2a 100644
+--- a/src/libopensc/card-sc-hsm.c
++++ b/src/libopensc/card-sc-hsm.c
+@@ -782,7 +782,7 @@ static int sc_hsm_logout(sc_card_t * card)
+ }
+ 
+ 
+-
++/* NOTE: idx is an offset into the card's file, not into buf */
+ static int sc_hsm_read_binary(sc_card_t *card,
+ 			       unsigned int idx, u8 *buf, size_t count,
+ 			       unsigned long flags)
+@@ -823,7 +823,7 @@ static int sc_hsm_read_binary(sc_card_t *card,
+ }
+ 
+ 
+-
++/* NOTE: idx is an offset into the card's file, not into buf */
+ static int sc_hsm_write_ef(sc_card_t *card,
+ 			       int fid,
+ 			       unsigned int idx, const u8 *buf, size_t count)
+@@ -848,7 +848,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 	// 8 bytes are required for T54(4) and T53(4)
+ 	size_t blk_size = card->max_send_size - 8;
+ 	size_t to_send = 0;
+-	size_t offset = (size_t) idx;
++	size_t file_offset = (size_t) idx;
++	size_t offset = 0;
+ 	do {
+ 		len = 0;
+ 		to_send = bytes_left >= blk_size ? blk_size : bytes_left;
+@@ -856,8 +857,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 		// ASN1 0x54 offset
+ 		*p++ = 0x54;
+ 		*p++ = 0x02;
+-		*p++ = (offset >> 8) & 0xFF;
+-		*p++ = offset & 0xFF;
++		*p++ = (file_offset >> 8) & 0xFF;
++		*p++ = file_offset & 0xFF;
+ 		// ASN1 0x53 to_send
+ 		*p++ = 0x53;
+ 		if (to_send < 128) {
+@@ -890,6 +891,7 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 
+ 		bytes_left -= to_send;
+ 		offset += to_send;
++		file_offset += to_send;
+ 	} while (0 < bytes_left);
+ 
+ err:

0012-opensc-CVE-2023-40661-6of12.patch

@@ -0,0 +1,25 @@
+From c449a181a6988cc1e8dc8764d23574e48cdc3fa6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Mon, 19 Jun 2023 16:14:51 +0200
+Subject: [PATCH] pkcs15-cflex: check path length to prevent underflow
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932
+---
+ src/pkcs15init/pkcs15-cflex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c
+index d06568073d..ce1d48e62c 100644
+--- a/src/pkcs15init/pkcs15-cflex.c
++++ b/src/pkcs15init/pkcs15-cflex.c
+@@ -56,6 +56,9 @@ cflex_delete_file(sc_profile_t *profile, sc_pkcs15_card_t *p15card, sc_file_t *d
+         int             r = 0;
+         /* Select the parent DF */
+         path = df->path;
++		if (path.len < 2) {
++			return SC_ERROR_INVALID_ARGUMENTS;
++		}
+         path.len -= 2;
+         r = sc_select_file(p15card->card, &path, &parent);
+         if (r < 0)

0013-opensc-CVE-2023-40661-7of12.patch

@@ -0,0 +1,27 @@
+From 88880db0307a07e33cf2e1592bb029e9c170dfea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 21 Jun 2023 15:48:27 +0200
+Subject: [PATCH] pkcs15-pubkey: free DER value when parsing public key fails
+
+The der value might be allocated in asn1_decode_entry()
+but it is not released when errror occurs.
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59615
+---
+ src/libopensc/pkcs15-pubkey.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index 4a0ddffbeb..7107c47cbc 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -351,6 +351,8 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card,
+ err:
+ 	if (r < 0) {
+ 		sc_pkcs15_free_pubkey_info(info);
++		if (der->len)
++			free(der->value);
+ 	}
+ 
+ 	LOG_FUNC_RETURN(ctx, r);

0014-opensc-CVE-2023-40661-8of12.patch

@@ -0,0 +1,29 @@
+From 638a5007a5d240d6fa901aa822cfeef94fe36e85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 10 Aug 2023 12:20:33 +0200
+Subject: [PATCH] pkcs15-pubkey.c: Avoid double-free
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616
+---
+ src/libopensc/pkcs15-pubkey.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index 7107c47cbc..49b514968b 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -351,8 +351,12 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card,
+ err:
+ 	if (r < 0) {
+ 		sc_pkcs15_free_pubkey_info(info);
+-		if (der->len)
++		if (der->len) {
+ 			free(der->value);
++			/* der points to obj->content */
++			obj->content.value = NULL;
++			obj->content.len = 0;
++		}
+ 	}
+ 
+ 	LOG_FUNC_RETURN(ctx, r);

0015-opensc-CVE-2023-40661-9of12.patch

@@ -0,0 +1,27 @@
+From ce7fcdaa35196706a83fe982900228e15464f928 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 11:55:06 +0200
+Subject: [PATCH] oberthur: Avoid heap buffer overflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
+---
+ src/pkcs15init/pkcs15-oberthur.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c
+index 377e28948e..b20bd6e6c4 100644
+--- a/src/pkcs15init/pkcs15-oberthur.c
++++ b/src/pkcs15init/pkcs15-oberthur.c
+@@ -531,7 +531,9 @@ cosm_new_file(struct sc_profile *profile, struct sc_card *card,
+ 	}
+ 
+ 	file->id |= (num & 0xFF);
+-	file->path.value[file->path.len-1] |= (num & 0xFF);
++	if (file->path.len) {
++		file->path.value[file->path.len - 1] |= (num & 0xFF);
++	}
+ 	if (file->type == SC_FILE_TYPE_INTERNAL_EF)   {
+ 		file->ef_structure = structure;
+ 	}

0016-opensc-CVE-2023-40661-10of12.patch

@@ -0,0 +1,25 @@
+From 440ca666eff10cc7011901252d20f3fc4ea23651 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 13:41:36 +0200
+Subject: [PATCH] setcos: Avoid buffer underflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672
+---
+ src/pkcs15init/pkcs15-setcos.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/pkcs15init/pkcs15-setcos.c
++++ b/src/pkcs15init/pkcs15-setcos.c
+@@ -349,6 +349,10 @@ setcos_create_key(sc_profile_t *profile,
+ 
+ 	/* Replace the path of instantiated key template by the path from the object data. */
+         memcpy(&file->path, &key_info->path, sizeof(file->path));
++	if (file->path.len < 2) {
++		sc_file_free(file);
++		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path");
++	}
+         file->id = file->path.value[file->path.len - 2] * 0x100
+ 		+ file->path.value[file->path.len - 1];
+ 

0017-opensc-CVE-2023-40661-11of12.patch

@@ -0,0 +1,38 @@
+From 245efe608d083fd4e4ec96793fdefd218e26fde7 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 13:54:42 +0200
+Subject: [PATCH] pkcs15: Avoid buffer overflow when getting last update
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
+---
+ src/libopensc/pkcs15.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/src/libopensc/pkcs15.c
++++ b/src/libopensc/pkcs15.c
+@@ -528,7 +528,7 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1
+ 	struct sc_context *ctx  = p15card->card->ctx;
+ 	struct sc_file *file = NULL;
+ 	struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
+-	unsigned char *content, last_update[32];
++	unsigned char *content, last_update[32] = {0};
+ 	size_t lupdate_len = sizeof(last_update) - 1;
+ 	int r, content_len;
+ 	size_t size;
+@@ -564,9 +564,11 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1
+ 	if (r < 0)
+ 		return NULL;
+ 
+-	p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
+-	if (!p15card->tokeninfo->last_update.gtime)
+-		return NULL;
++	if (asn1_last_update[0].flags & SC_ASN1_PRESENT) {
++		p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
++		if (!p15card->tokeninfo->last_update.gtime)
++			return NULL;
++	}
+ done:
+ 	sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime);
+ 	return p15card->tokeninfo->last_update.gtime;

0018-opensc-CVE-2023-40661-12of12.patch

@@ -0,0 +1,26 @@
+From 41d61da8481582e12710b5858f8b635e0a71ab5e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 20 Sep 2023 10:13:57 +0200
+Subject: [PATCH] oberthur: Avoid buffer overflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
+---
+ src/pkcs15init/pkcs15-oberthur.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c
+index ad2cabd530..c441ab1e76 100644
+--- a/src/pkcs15init/pkcs15-oberthur.c
++++ b/src/pkcs15init/pkcs15-oberthur.c
+@@ -715,6 +715,9 @@ cosm_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 	if (object->type != SC_PKCS15_TYPE_PRKEY_RSA)
+ 		LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported");
+ 
++	if (key_info->path.len < 2)
++		LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long");
++
+ 	sc_log(ctx,  "create private key ID:%s",  sc_pkcs15_print_id(&key_info->id));
+ 	/* Here, the path of private key file should be defined.
+ 	 * Nevertheless, we need to instantiate private key to get the ACLs. */

opensc.spec

@@ -3,7 +3,7 @@
 
 Name:            opensc
 Version:         0.21.0
-Release:         8
+Release:         9
 License:         LGPLv2.1+
 Summary:         Smart card library and applications
 URL:             https://github.com/OpenSC/OpenSC/wiki
@@ -40,6 +40,18 @@ Patch19:  backport-0005-CVE-2021-42782-PIV-Improved-parsing.patch
 Patch20:  backport-0006-CVE-2023-2977-correct_left_length_calculation_to_fix_buffer.patch
 Patch21:  0003-opensc-CVE-2023-40660-1of2.patch
 Patch22:  0004-opensc-CVE-2023-40660-2of2.patch
+Patch23:         0007-opensc-CVE-2023-40661-1of12.patch
+Patch24:         0008-opensc-CVE-2023-40661-2of12.patch
+Patch25:         0009-opensc-CVE-2023-40661-3of12.patch
+Patch26:         0010-opensc-CVE-2023-40661-4of12.patch
+Patch27:         0011-opensc-CVE-2023-40661-5of12.patch
+Patch28:         0012-opensc-CVE-2023-40661-6of12.patch
+Patch29:         0013-opensc-CVE-2023-40661-7of12.patch
+Patch30:         0014-opensc-CVE-2023-40661-8of12.patch
+Patch31:         0015-opensc-CVE-2023-40661-9of12.patch
+Patch32:         0016-opensc-CVE-2023-40661-10of12.patch
+Patch33:         0017-opensc-CVE-2023-40661-11of12.patch
+Patch34:         0018-opensc-CVE-2023-40661-12of12.patch
 
 %description
 OpenSC provides a set of libraries and utilities to work with smart cards.
@@ -158,6 +170,9 @@ make check
 %{_datadir}/opensc/
 
 %changelog
+* Wed Nov  8 2023 dillon chen <dillon.chen@gmail.com> - 0.21.0-9
+- fix CVE-2023-40661
+
 * Mon Oct 23 2023 dillon chen <dillon.chen@gmail.com> - 0.21.0-8
 - fix CVE-2023-40660