!63 [sync] PR-61: fix CVE-2023-40661

From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

0003-opensc-CVE-2023-40660-1of2.patch

@@ -0,0 +1,50 @@
+From 74ddc3636db18ae78de62922a74bfdefae015c76 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 21 Jun 2023 12:27:23 +0200
+Subject: [PATCH] Fixed PIN authentication bypass
+
+If two processes are accessing a token, then one process may leave the
+card usable with an authenticated PIN so that a key may sign/decrypt any
+data. This is especially the case if the token does not support a way of
+resetting the authentication status (logout).
+
+We have some tracking of the authentication status in software via
+PKCS#11, Minidriver (os-wise) and CryptoTokenKit, which is why a
+PIN-prompt will appear even though the card may technically be unlocked
+as described in the above example. However, before this change, an empty
+PIN was not verified (likely yielding an error during PIN-verification),
+but it was just checked whether the PIN is authenticated. This defeats
+the purpose of the PIN verification, because an empty PIN is not the
+correct one. Especially during OS Logon, we don't want that kind of
+shortcut, but we want the user to verify the correct PIN (even though
+the token was left unattended and authentication at the computer).
+
+This essentially reverts commit e6f7373ef066cfab6e3162e8b5f692683db23864.
+---
+ src/libopensc/pkcs15-pin.c | 13 -------------
+ 1 file changed, 13 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c
+index 48e16fdc1c..2402675316 100644
+--- a/src/libopensc/pkcs15-pin.c
++++ b/src/libopensc/pkcs15-pin.c
+@@ -307,19 +307,6 @@ sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *pi
+ 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_PIN_REFERENCE);
+ 	auth_info = (struct sc_pkcs15_auth_info *)pin_obj->data;
+ 
+-	/*
+-	 * if pin cache is disabled, we can get here with no PIN data.
+-	 * in this case, to avoid error or unnecessary pin prompting on pinpad,
+-	 * check if the PIN has been already verified and the access condition
+-	 * is still open on card.
+-	 */
+-	if (pinlen == 0) {
+-	    r = sc_pkcs15_get_pin_info(p15card, pin_obj);
+-
+-	    if (r == SC_SUCCESS && auth_info->logged_in == SC_PIN_STATE_LOGGED_IN)
+-		LOG_FUNC_RETURN(ctx, r);
+-	}
+-
+ 	r = _validate_pin(p15card, auth_info, pinlen);
+ 
+ 	if (r)

0004-opensc-CVE-2023-40660-2of2.patch

@@ -0,0 +1,490 @@
+From d7fadae950f6d33b32f979759c06ab78a3475c22 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 21 Jun 2023 13:49:40 +0200
+Subject: [PATCH 01/15] PIV: implemented logout
+
+---
+ src/libopensc/card-asepcos.c    |   15 +++++++++++++
+ src/libopensc/card-authentic.c  |   11 ++++++++++
+ src/libopensc/card-cac.c        |   10 ++++++---
+ src/libopensc/card-cac1.c       |   10 ++++++---
+ src/libopensc/card-coolkey.c    |    3 --
+ src/libopensc/card-edo.c        |    7 ++++++
+ src/libopensc/card-epass2003.c  |   18 ++++++++++++++++
+ src/libopensc/card-esteid2018.c |    5 ++++
+ src/libopensc/card-gemsafeV1.c  |    8 +++++++
+ src/libopensc/card-isoApplet.c  |    8 +++++++
+ src/libopensc/card-jpki.c       |    6 +++++
+ src/libopensc/card-mcrd.c       |   10 +++++++++
+ src/libopensc/card-muscle.c     |   18 ++++++++++++----
+ src/libopensc/card-piv.c        |   20 ++++++++++--------
+ src/libopensc/card-westcos.c    |   44 ++++++++++++++++++++++++----------------
+ 16 files changed, 155 insertions(+), 49 deletions(-)
+
+--- a/src/libopensc/card-asepcos.c
++++ b/src/libopensc/card-asepcos.c
+@@ -1050,6 +1050,20 @@ static int asepcos_card_reader_lock_obta
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
++static int asepcos_logout(sc_card_t *card)
++{
++	int r = SC_ERROR_NOT_SUPPORTED;
++
++	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
++
++	if (card->type == SC_CARD_TYPE_ASEPCOS_JAVA) {
++		/* in case of a Java card try to select the ASEPCOS applet */
++		r = asepcos_select_asepcos_applet(card);
++	}
++
++	LOG_FUNC_RETURN(card->ctx, r);
++}
++
+ static struct sc_card_driver * sc_get_driver(void)
+ {
+ 	if (iso_ops == NULL)
+@@ -1066,6 +1080,7 @@ static struct sc_card_driver * sc_get_dr
+ 	asepcos_ops.list_files        = asepcos_list_files;
+ 	asepcos_ops.card_ctl          = asepcos_card_ctl;
+ 	asepcos_ops.pin_cmd           = asepcos_pin_cmd;
++	asepcos_ops.logout            = asepcos_logout;
+ 	asepcos_ops.card_reader_lock_obtained = asepcos_card_reader_lock_obtained;
+ 
+ 	return &asepcos_drv;
+--- a/src/libopensc/card-authentic.c
++++ b/src/libopensc/card-authentic.c
+@@ -2311,6 +2311,17 @@ authentic_sm_get_wrapped_apdu(struct sc_
+ }
+ #endif
+ 
++int authentic_logout(sc_card_t *card)
++{
++	int r = SC_ERROR_NOT_SUPPORTED;
++
++	if (card->type == SC_CARD_TYPE_OBERTHUR_AUTHENTIC_3_2) {
++		r = authentic_select_aid(card, aid_AuthentIC_3_2, sizeof(aid_AuthentIC_3_2), NULL, NULL);
++	}
++
++	return r;
++}
++
+ static struct sc_card_driver *
+ sc_get_driver(void)
+ {
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -1831,9 +1831,6 @@ static int cac_match_card(sc_card_t *car
+ {
+ 	int r;
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+-	/* Since we send an APDU, the card's logout function may be called...
+-	 * however it may be in dirty memory */
+-	card->ops->logout = NULL;
+ 
+ 	r = cac_find_and_initialize(card, 0);
+ 	return (r == SC_SUCCESS); /* never match */
+@@ -1862,6 +1859,12 @@ static int cac_init(sc_card_t *card)
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+ 
++static int cac_logout(sc_card_t *card)
++{
++	int index;
++	return cac_find_first_pki_applet(card, &index);
++}
++
+ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries_left)
+ {
+ 	/* CAC, like PIV needs Extra validation of (new) PIN during
+@@ -1933,6 +1936,7 @@ static struct sc_card_driver * sc_get_dr
+ 	cac_ops.decipher =  cac_decipher;
+ 	cac_ops.card_ctl = cac_card_ctl;
+ 	cac_ops.pin_cmd = cac_pin_cmd;
++	cac_ops.logout = cac_logout;
+ 
+ 	return &cac_drv;
+ }
+--- a/src/libopensc/card-cac1.c
++++ b/src/libopensc/card-cac1.c
+@@ -498,9 +498,6 @@ static int cac_match_card(sc_card_t *car
+ {
+ 	int r;
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+-	/* Since we send an APDU, the card's logout function may be called...
+-	 * however it may be in dirty memory */
+-	card->ops->logout = NULL;
+ 
+ 	r = cac_find_and_initialize(card, 0);
+ 	return (r == SC_SUCCESS); /* never match */
+@@ -529,6 +526,12 @@ static int cac_init(sc_card_t *card)
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+ 
++static int cac_logout(sc_card_t *card)
++{
++	int index;
++	return cac_find_first_pki_applet(card, &index);
++}
++
+ static struct sc_card_operations cac_ops;
+ 
+ static struct sc_card_driver cac1_drv = {
+@@ -550,6 +553,7 @@ static struct sc_card_driver * sc_get_dr
+ 
+ 	cac_ops.select_file =  cac_select_file; /* need to record object type */
+ 	cac_ops.read_binary = cac_read_binary;
++	cac_ops.logout = cac_logout;
+ 
+ 	return &cac1_drv;
+ }
+--- a/src/libopensc/card-coolkey.c
++++ b/src/libopensc/card-coolkey.c
+@@ -2264,9 +2264,6 @@ static int coolkey_match_card(sc_card_t
+ 	int r;
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+-	/* Since we send an APDU, the card's logout function may be called...
+-	 * however it may be in dirty memory */
+-	card->ops->logout = NULL;
+ 
+ 	r = coolkey_select_applet(card);
+ 	if (r == SC_SUCCESS) {
+--- a/src/libopensc/card-edo.c
++++ b/src/libopensc/card-edo.c
+@@ -302,6 +302,12 @@ static int edo_init(sc_card_t* card) {
+ }
+ 
+ 
++static int edo_logout(sc_card_t* card) {
++	sc_sm_stop(card);
++	return edo_unlock(card);
++}
++
++
+ struct sc_card_driver* sc_get_edo_driver(void) {
+ 	edo_ops = *sc_get_iso7816_driver()->ops;
+ 	edo_ops.match_card = edo_match_card;
+@@ -309,6 +315,7 @@ struct sc_card_driver* sc_get_edo_driver
+ 	edo_ops.select_file = edo_select_file;
+ 	edo_ops.set_security_env = edo_set_security_env;
+ 	edo_ops.compute_signature = edo_compute_signature;
++	edo_ops.logout = edo_logout;
+ 
+ 	return &edo_drv;
+ }
+--- a/src/libopensc/card-epass2003.c
++++ b/src/libopensc/card-epass2003.c
+@@ -3278,6 +3278,23 @@ epass2003_pin_cmd(struct sc_card *card,
+ 	return r;
+ }
+ 
++static int
++epass2003_logout(struct sc_card *card)
++{
++	epass2003_exdata *exdata = NULL;
++
++	if (!card->drv_data) 
++		return SC_ERROR_INVALID_ARGUMENTS;
++
++	exdata = (epass2003_exdata *)card->drv_data;
++	if (exdata->sm) {
++		sc_sm_stop(card);
++		return epass2003_refresh(card);
++	}
++
++	return SC_ERROR_NOT_SUPPORTED;
++}
++
+ static struct sc_card_driver *sc_get_driver(void)
+ {
+ 	struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
+@@ -3307,6 +3324,7 @@ static struct sc_card_driver *sc_get_dri
+ 	epass2003_ops.pin_cmd = epass2003_pin_cmd;
+ 	epass2003_ops.check_sw = epass2003_check_sw;
+ 	epass2003_ops.get_challenge = epass2003_get_challenge;
++	epass2003_ops.logout = epass2003_logout;
+ 	return &epass2003_drv;
+ }
+ 
+--- a/src/libopensc/card-esteid2018.c
++++ b/src/libopensc/card-esteid2018.c
+@@ -306,6 +306,10 @@ static int esteid_finish(sc_card_t *card
+ 	return 0;
+ }
+ 
++static int esteid_logout(sc_card_t *card) {
++	return gp_select_aid(card, &IASECC_AID);
++}
++
+ struct sc_card_driver *sc_get_esteid2018_driver(void) {
+ 	struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
+ 
+@@ -323,6 +327,7 @@ struct sc_card_driver *sc_get_esteid2018
+ 	esteid_ops.set_security_env = esteid_set_security_env;
+ 	esteid_ops.compute_signature = esteid_compute_signature;
+ 	esteid_ops.pin_cmd = esteid_pin_cmd;
++	esteid_ops.logout = esteid_logout;
+ 
+ 	return &esteid2018_driver;
+ }
+--- a/src/libopensc/card-gemsafeV1.c
++++ b/src/libopensc/card-gemsafeV1.c
+@@ -582,6 +582,13 @@ static int gemsafe_card_reader_lock_obta
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
++static int gemsafe_logout(sc_card_t *card)
++{
++	gemsafe_exdata *exdata = (gemsafe_exdata *)card->drv_data;
++
++	return gp_select_applet(card, exdata->aid, exdata->aid_len);
++}
++
+ static struct sc_card_driver *sc_get_driver(void)
+ {
+ 	struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
+@@ -602,6 +609,7 @@ static struct sc_card_driver *sc_get_dri
+ 	gemsafe_ops.process_fci	= gemsafe_process_fci;
+ 	gemsafe_ops.pin_cmd		 = iso_ops->pin_cmd;
+ 	gemsafe_ops.card_reader_lock_obtained = gemsafe_card_reader_lock_obtained;
++	gemsafe_ops.logout = gemsafe_logout;
+ 
+ 	return &gemsafe_drv;
+ }
+--- a/src/libopensc/card-isoApplet.c
++++ b/src/libopensc/card-isoApplet.c
+@@ -1244,6 +1244,13 @@ static int isoApplet_card_reader_lock_ob
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
++static int isoApplet_logout(sc_card_t *card)
++{
++	size_t rlen = SC_MAX_APDU_BUFFER_SIZE;
++	u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
++	return isoApplet_select_applet(card, isoApplet_aid, sizeof(isoApplet_aid), rbuf, &rlen);
++}
++
+ static struct sc_card_driver *sc_get_driver(void)
+ {
+ 	sc_card_driver_t *iso_drv = sc_get_iso7816_driver();
+@@ -1267,6 +1274,7 @@ static struct sc_card_driver *sc_get_dri
+ 	isoApplet_ops.compute_signature = isoApplet_compute_signature;
+ 	isoApplet_ops.get_challenge = isoApplet_get_challenge;
+ 	isoApplet_ops.card_reader_lock_obtained = isoApplet_card_reader_lock_obtained;
++	isoApplet_ops.logout = isoApplet_logout;
+ 
+ 	/* unsupported functions */
+ 	isoApplet_ops.write_binary = NULL;
+--- a/src/libopensc/card-jpki.c
++++ b/src/libopensc/card-jpki.c
+@@ -361,6 +361,11 @@ static int jpki_card_reader_lock_obtaine
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
++static int jpki_logout(sc_card_t *card)
++{
++	return jpki_select_ap(card);
++}
++
+ static struct sc_card_driver *
+ sc_get_driver(void)
+ {
+@@ -375,6 +380,7 @@ sc_get_driver(void)
+ 	jpki_ops.set_security_env = jpki_set_security_env;
+ 	jpki_ops.compute_signature = jpki_compute_signature;
+ 	jpki_ops.card_reader_lock_obtained = jpki_card_reader_lock_obtained;
++	jpki_ops.logout = jpki_logout;
+ 
+ 	return &jpki_drv;
+ }
+--- a/src/libopensc/card-mcrd.c
++++ b/src/libopensc/card-mcrd.c
+@@ -1174,6 +1174,15 @@ static int mcrd_pin_cmd(sc_card_t * card
+ 	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, iso_ops->pin_cmd(card, data, tries_left));
+ }
+ 
++static int mcrd_logout(sc_card_t * card)
++{
++	if (card->type == SC_CARD_TYPE_MCRD_ESTEID_V30) {
++		return gp_select_aid(card, &EstEID_v35_AID);
++	} else {
++		return SC_ERROR_NOT_SUPPORTED;
++	}
++}
++
+ /* Driver binding */
+ static struct sc_card_driver *sc_get_driver(void)
+ {
+@@ -1190,6 +1199,7 @@ static struct sc_card_driver *sc_get_dri
+ 	mcrd_ops.compute_signature = mcrd_compute_signature;
+ 	mcrd_ops.decipher = mcrd_decipher;
+ 	mcrd_ops.pin_cmd = mcrd_pin_cmd;
++	mcrd_ops.logout = mcrd_logout;
+ 
+ 	return &mcrd_drv;
+ }
+--- a/src/libopensc/card-muscle.c
++++ b/src/libopensc/card-muscle.c
+@@ -81,10 +81,6 @@ static int muscle_match_card(sc_card_t *
+ 	u8 response[64];
+ 	int r;
+ 
+-	/* Since we send an APDU, the card's logout function may be called...
+-	 * however it's not always properly nulled out... */
+-	card->ops->logout = NULL;
+-
+ 	if (msc_select_applet(card, muscleAppletId, sizeof muscleAppletId) == 1) {
+ 		/* Muscle applet is present, check the protocol version to be sure */
+ 		sc_format_apdu(card, &apdu, SC_APDU_CASE_2, 0x3C, 0x00, 0x00);
+@@ -853,6 +849,19 @@ static int muscle_card_reader_lock_obtai
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
++static int muscle_logout(sc_card_t *card)
++{
++	int r = SC_ERROR_NOT_SUPPORTED;
++
++	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
++
++	if (msc_select_applet(card, muscleAppletId, sizeof muscleAppletId) == 1) {
++		r = SC_SUCCESS;
++	}
++
++	LOG_FUNC_RETURN(card->ctx, r);
++}
++
+ 
+ static struct sc_card_driver * sc_get_driver(void)
+ {
+@@ -881,6 +890,7 @@ static struct sc_card_driver * sc_get_dr
+ 	muscle_ops.delete_file = muscle_delete_file;
+ 	muscle_ops.list_files = muscle_list_files;
+ 	muscle_ops.card_reader_lock_obtained = muscle_card_reader_lock_obtained;
++	muscle_ops.logout = muscle_logout;
+ 
+ 	return &muscle_drv;
+ }
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -2183,11 +2183,11 @@ static int piv_is_object_present(sc_card
+  * or the global pin for the card 0x00. Look at Discovery object to get this.
+  * called by pkcs15-piv.c  via cardctl when setting up the pins.
+  */
+-static int piv_get_pin_preference(sc_card_t *card, int *ptr)
++static int piv_get_pin_preference(sc_card_t *card, int *pin_ref)
+ {
+ 	piv_private_data_t * priv = PIV_DATA(card);
+ 
+-	*ptr = priv->pin_preference;
++	*pin_ref = priv->pin_preference;
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+ 
+@@ -3082,10 +3082,6 @@ static int piv_match_card_continued(sc_c
+ 	piv_private_data_t *priv = NULL;
+ 	int saved_type = card->type;
+ 
+-	/* Since we send an APDU, the card's logout function may be called...
+-	 * however it may be in dirty memory */
+-	card->ops->logout = NULL;
+-
+ 	/* piv_match_card may be called with card->type, set by opensc.conf */
+ 	/* user provide card type must be one we know */
+ 	switch (card->type) {
+@@ -3747,12 +3743,18 @@ piv_pin_cmd(sc_card_t *card, struct sc_p
+ 
+ static int piv_logout(sc_card_t *card)
+ {
+-	int r = SC_ERROR_NOT_SUPPORTED; /* TODO Some PIV cards may support a logout */
+-	/* piv_private_data_t * priv = PIV_DATA(card); */
++	int r = SC_ERROR_NOT_SUPPORTED;
++	piv_private_data_t * priv = PIV_DATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+-	/* TODO 800-73-3 does not define a logout, 800-73-4 does */
++	if (priv) {
++		/* logout defined since 800-73-4 */
++		r = iso7816_logout(card, priv->pin_preference);
++		if (r == SC_SUCCESS) {
++			priv->logged_in = SC_PIN_STATE_LOGGED_OUT;
++		}
++	}
+ 
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+--- a/src/libopensc/card-westcos.c
++++ b/src/libopensc/card-westcos.c
+@@ -166,6 +166,26 @@ static int westcos_finish(sc_card_t * ca
+ 	return 0;
+ }
+ 
++static int select_westcos_applet(sc_card_t *card)
++{
++	int r;
++	sc_apdu_t apdu;
++	u8 aid[] = {
++		0xA0, 0x00, 0xCE, 0x00, 0x07, 0x01
++	};
++	sc_format_apdu(card, &apdu,
++			SC_APDU_CASE_3_SHORT, 0xA4, 0x04,
++			0);
++	apdu.cla = 0x00;
++	apdu.lc = sizeof(aid);
++	apdu.datalen = sizeof(aid);
++	apdu.data = aid;
++	r = sc_transmit_apdu(card, &apdu);
++	if (r)
++		return r;
++	return sc_check_sw(card, apdu.sw1, apdu.sw2);
++}
++
+ static int westcos_match_card(sc_card_t * card)
+ {
+ 	int i;
+@@ -176,23 +196,7 @@ static int westcos_match_card(sc_card_t
+ 	
+ 	/* JAVACARD, look for westcos applet */
+ 	if (i == 1) { 
+-		int r;
+-		sc_apdu_t apdu;
+-		u8 aid[] = {
+-			0xA0, 0x00, 0xCE, 0x00, 0x07, 0x01
+-		};
+-		sc_format_apdu(card, &apdu,
+-				SC_APDU_CASE_3_SHORT, 0xA4, 0x04,
+-				0);
+-		apdu.cla = 0x00;
+-		apdu.lc = sizeof(aid);
+-		apdu.datalen = sizeof(aid);
+-		apdu.data = aid;
+-		r = sc_transmit_apdu(card, &apdu);
+-		if (r)
+-			return 0;
+-		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-		if (r)
++		if (select_westcos_applet(card))
+ 			return 0;
+ 	}
+ 	
+@@ -1257,6 +1261,11 @@ static int westcos_decipher(sc_card_t *c
+ 	return westcos_sign_decipher(1, card, crgram, crgram_len, out, outlen);
+ }
+ 
++static int westcos_logout(sc_card_t *card)
++{
++	return select_westcos_applet(card);
++}
++
+ struct sc_card_driver *sc_get_westcos_driver(void)
+ {
+ 	if (iso_ops == NULL)
+@@ -1288,6 +1297,7 @@ struct sc_card_driver *sc_get_westcos_dr
+ 	westcos_ops.process_fci = westcos_process_fci;
+ 	westcos_ops.construct_fci = NULL;
+ 	westcos_ops.pin_cmd = westcos_pin_cmd;
++	westcos_ops.logout = westcos_logout;
+ 
+ 	return &westcos_drv;
+ }

0007-opensc-CVE-2023-40661-1of12.patch

@@ -0,0 +1,23 @@
+From 578aed8391ef117ca64a9e0cba8e5c264368a0ec Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 8 Dec 2022 00:27:18 +0100
+Subject: [PATCH] sc_pkcs15init_rmdir: prevent out of bounds write
+
+fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927
+---
+ src/pkcs15init/pkcs15-lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index 91cee37310..3df03c6e1f 100644
+--- a/src/pkcs15init/pkcs15-lib.c
++++ b/src/pkcs15init/pkcs15-lib.c
+@@ -685,6 +685,8 @@ sc_pkcs15init_rmdir(struct sc_pkcs15_card *p15card, struct sc_profile *profile,
+ 
+ 		path = df->path;
+ 		path.len += 2;
++		if (path.len > SC_MAX_PATH_SIZE)
++			return SC_ERROR_INTERNAL;
+ 
+ 		nfids = r / 2;
+ 		while (r >= 0 && nfids--) {

0008-opensc-CVE-2023-40661-2of12.patch

@@ -0,0 +1,25 @@
+From df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1 Mon Sep 17 00:00:00 2001
+From: Veronika Hanulikova <xhanulik@fi.muni.cz>
+Date: Fri, 10 Feb 2023 11:47:34 +0100
+Subject: [PATCH] Check array bounds
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312
+---
+ src/libopensc/muscle.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c
+index 61a4ec24d8..9d01e0c113 100644
+--- a/src/libopensc/muscle.c
++++ b/src/libopensc/muscle.c
+@@ -181,6 +181,9 @@ int msc_partial_update_object(sc_card_t *card, msc_id objectId, int offset, cons
+ 	sc_apdu_t apdu;
+ 	int r;
+ 
++	if (dataLength + 9 > MSC_MAX_APDU)
++		return SC_ERROR_INVALID_ARGUMENTS;
++
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_SHORT, 0x54, 0x00, 0x00);
+ 	apdu.lc = dataLength + 9;
+ 	if (card->ctx->debug >= 2)

0009-opensc-CVE-2023-40661-3of12.patch

@@ -0,0 +1,37 @@
+From 5631e9843c832a99769def85b7b9b68b4e3e3959 Mon Sep 17 00:00:00 2001
+From: Veronika Hanulikova <xhanulik@fi.muni.cz>
+Date: Fri, 3 Mar 2023 16:07:38 +0100
+Subject: [PATCH] Check length of string before making copy
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
+---
+ src/pkcs15init/profile.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
+index 2b793b0282..3bad1e8536 100644
+--- a/src/pkcs15init/profile.c
++++ b/src/pkcs15init/profile.c
+@@ -1575,7 +1575,10 @@ do_acl(struct state *cur, int argc, char **argv)
+ 	while (argc--) {
+ 		unsigned int	op, method, id;
+ 
++		if (strlen(*argv) >= sizeof(oper))
++			goto bad;
+ 		strlcpy(oper, *argv++, sizeof(oper));
++
+ 		if ((what = strchr(oper, '=')) == NULL)
+ 			goto bad;
+ 		*what++ = '\0';
+@@ -2288,6 +2291,9 @@ get_authid(struct state *cur, const char *value,
+ 		return get_uint(cur, value, type);
+ 	}
+ 
++	if (strlen(value) >= sizeof(temp))
++		return 1;
++
+ 	n = strcspn(value, "0123456789x");
+ 	strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp));
+ 

0010-opensc-CVE-2023-40661-4of12.patch

@@ -0,0 +1,396 @@
+From aadd82bb071e574fc57263a103e3bf06ebbd8de7 Mon Sep 17 00:00:00 2001
+From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>
+Date: Sat, 21 Jan 2023 22:15:10 +0100
+Subject: [PATCH] Handle reader limits for SC Card unwrap operations
+
+Fixes #2514
+---
+ src/libopensc/card-sc-hsm.c            | 181 ++++++++++++++-----------
+ src/libopensc/reader-pcsc.c            |  91 ++++++++-----
+ src/tests/fuzzing/fuzz_pkcs15_decode.c |   3 +-
+ src/tests/fuzzing/fuzz_pkcs15_encode.c |   2 +-
+ 4 files changed, 159 insertions(+), 118 deletions(-)
+
+diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
+index 60d5895127..1b707f08df 100644
+--- a/src/libopensc/card-sc-hsm.c
++++ b/src/libopensc/card-sc-hsm.c
+@@ -145,9 +145,7 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
+ 
+ 	if (file_out == NULL) {				// Versions before 0.16 of the SmartCard-HSM do not support P2='0C'
+ 		rv = sc_hsm_select_file_ex(card, in_path, forceselect, &file);
+-		if (file != NULL) {
+-			sc_file_free(file);
+-		}
++		sc_file_free(file);
+ 		return rv;
+ 	}
+ 
+@@ -181,9 +179,7 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
+ 			LOG_TEST_RET(card->ctx, rv, "Could not select SmartCard-HSM application");
+ 
+ 			if (priv) {
+-				if (priv->dffcp != NULL) {
+-					sc_file_free(priv->dffcp);
+-				}
++				sc_file_free(priv->dffcp);
+ 				// Cache the FCP returned when selecting the applet
+ 				sc_file_dup(&priv->dffcp, *file_out);
+ 			}
+@@ -730,12 +726,12 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
+ 			u8 recvbuf[SC_MAX_APDU_BUFFER_SIZE];
+ #ifdef ENABLE_SM
+ 			if (card->sm_ctx.sm_mode != SM_MODE_TRANSMIT) {
+-				sc_log(card->ctx, 
++				sc_log(card->ctx,
+ 						"Session PIN generation only supported in SM");
+ 				LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ 			}
+ #else
+-			sc_log(card->ctx, 
++			sc_log(card->ctx,
+ 					"Session PIN generation only supported in SM");
+ 			LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ #endif
+@@ -746,7 +742,7 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
+ 			apdu.le = 0;
+ 			if (sc_transmit_apdu(card, &apdu) != SC_SUCCESS
+ 					|| sc_check_sw(card, apdu.sw1, apdu.sw2) != SC_SUCCESS) {
+-				sc_log(card->ctx, 
++				sc_log(card->ctx,
+ 						"Generating session PIN failed");
+ 				LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ 			}
+@@ -756,12 +752,12 @@ static int sc_hsm_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data,
+ 							apdu.resplen);
+ 					data->pin2.len = apdu.resplen;
+ 				} else {
+-					sc_log(card->ctx, 
++					sc_log(card->ctx,
+ 							"Buffer too small for session PIN");
+ 				}
+ 			}
+ 		} else {
+-			sc_log(card->ctx, 
++			sc_log(card->ctx,
+ 					"Session PIN not supported for this PIN (0x%02X)",
+ 					data->pin_reference);
+ 		}
+@@ -848,47 +844,61 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+ 	}
+ 
+-	p = cmdbuff;
+-	*p++ = 0x54;
+-	*p++ = 0x02;
+-	*p++ = (idx >> 8) & 0xFF;
+-	*p++ = idx & 0xFF;
+-	*p++ = 0x53;
+-	if (count < 128) {
+-		*p++ = (u8) count;
+-		len = 6;
+-	} else if (count < 256) {
+-		*p++ = 0x81;
+-		*p++ = (u8) count;
+-		len = 7;
+-	} else {
+-		*p++ = 0x82;
+-		*p++ = (count >> 8) & 0xFF;
+-		*p++ = count & 0xFF;
+-		len = 8;
+-	}
++	size_t bytes_left = count;
++	// 8 bytes are required for T54(4) and T53(4)
++	size_t blk_size = card->max_send_size - 8;
++	size_t to_send = 0;
++	size_t offset = (size_t) idx;
++	do {
++		len = 0;
++		to_send = bytes_left >= blk_size ? blk_size : bytes_left;
++		p = cmdbuff;
++		// ASN1 0x54 offset
++		*p++ = 0x54;
++		*p++ = 0x02;
++		*p++ = (offset >> 8) & 0xFF;
++		*p++ = offset & 0xFF;
++		// ASN1 0x53 to_send
++		*p++ = 0x53;
++		if (to_send < 128) {
++			*p++ = (u8)to_send;
++			len = 6;
++		} else if (to_send < 256) {
++			*p++ = 0x81;
++			*p++ = (u8)to_send;
++			len = 7;
++		} else {
++			*p++ = 0x82;
++			*p++ = (to_send >> 8) & 0xFF;
++			*p++ = to_send & 0xFF;
++			len = 8;
++		}
+ 
+-	if (buf != NULL)
+-		memcpy(p, buf, count);
+-	len += count;
++		if (buf != NULL)
++			memcpy(p, buf+offset, to_send);
++		len += to_send;
+ 
+-	sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xD7, fid >> 8, fid & 0xFF);
+-	apdu.data = cmdbuff;
+-	apdu.datalen = len;
+-	apdu.lc = len;
++		sc_format_apdu(card, &apdu, SC_APDU_CASE_3, 0xD7, fid >> 8, fid & 0xFF);
++		apdu.data = cmdbuff;
++		apdu.datalen = len;
++		apdu.lc = len;
+ 
+-	r = sc_transmit_apdu(card, &apdu);
+-	free(cmdbuff);
+-	LOG_TEST_RET(ctx, r, "APDU transmit failed");
++		r = sc_transmit_apdu(card, &apdu);
++		LOG_TEST_GOTO_ERR(ctx, r, "APDU transmit failed");
++		r = sc_check_sw(card, apdu.sw1, apdu.sw2);
++		LOG_TEST_GOTO_ERR(ctx, r, "Check SW error");
+ 
+-	r =  sc_check_sw(card, apdu.sw1, apdu.sw2);
+-	LOG_TEST_RET(ctx, r, "Check SW error");
++		bytes_left -= to_send;
++		offset += to_send;
++	} while (0 < bytes_left);
++
++err:
++	free(cmdbuff);
+ 
+ 	LOG_FUNC_RETURN(ctx, count);
+ }
+ 
+ 
+-
+ static int sc_hsm_update_binary(sc_card_t *card,
+ 			       unsigned int idx, const u8 *buf, size_t count,
+ 			       unsigned long flags)
+@@ -1227,7 +1237,7 @@ static int sc_hsm_initialize(sc_card_t *card, sc_cardctl_sc_hsm_init_param_t *pa
+ 		return SC_ERROR_INVALID_ARGUMENTS;
+ 	}
+ 	*p++ = 0x81;	// User PIN
+-	*p++ = (u8) params->user_pin_len;
++	*p++ = (u8)params->user_pin_len;
+ 	memcpy(p, params->user_pin, params->user_pin_len);
+ 	p += params->user_pin_len;
+ 
+@@ -1400,12 +1410,11 @@ static int sc_hsm_unwrap_key(sc_card_t *card, sc_cardctl_sc_hsm_wrapped_key_t *p
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+-	sc_format_apdu(card, &apdu, SC_APDU_CASE_3_EXT, 0x74, params->key_id, 0x93);
+-	apdu.cla = 0x80;
+-	apdu.lc = params->wrapped_key_length;
+-	apdu.data = params->wrapped_key;
+-	apdu.datalen = params->wrapped_key_length;
++	r = sc_hsm_write_ef(card, 0x2F10, 0, params->wrapped_key, params->wrapped_key_length);
++	LOG_TEST_RET(card->ctx, r, "Create EF failed");
+ 
++	sc_format_apdu(card, &apdu, SC_APDU_CASE_1, 0x74, params->key_id, 0x93);
++	apdu.cla = 0x80;
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(ctx, r, "APDU transmit failed");
+ 
+@@ -1765,17 +1774,10 @@ static int sc_hsm_init(struct sc_card *card)
+ 	int flags,ext_flags;
+ 	sc_file_t *file = NULL;
+ 	sc_path_t path;
+-	sc_hsm_private_data_t *priv = card->drv_data;
++	sc_hsm_private_data_t *priv = NULL;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+ 
+-	if (!priv) {
+-		priv = calloc(1, sizeof(sc_hsm_private_data_t));
+-		if (!priv)
+-			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+-		card->drv_data = priv;
+-	}
+-
+ 	flags = SC_ALGORITHM_RSA_RAW|SC_ALGORITHM_RSA_PAD_PSS|SC_ALGORITHM_ONBOARD_KEY_GEN;
+ 
+ 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
+@@ -1807,6 +1809,46 @@ static int sc_hsm_init(struct sc_card *card)
+ 
+ 	card->caps |= SC_CARD_CAP_RNG|SC_CARD_CAP_APDU_EXT|SC_CARD_CAP_ISO7816_PIN_INFO;
+ 
++	// APDU Buffer limits
++	//   JCOP 2.4.1r3           1462
++	//   JCOP 2.4.2r3           1454
++	//   JCOP 3                 1232
++	//   MicroSD with JCOP 3    478 / 506 - handled in reader-pcsc.c
++	//   Reiner SCT             1014 - handled in reader-pcsc.c
++
++	// Use JCOP 3 card limits for sending
++	card->max_send_size = 1232;
++	// Assume that card supports sending with extended length APDU and without limit
++	card->max_recv_size = 0;
++
++	if (card->type == SC_CARD_TYPE_SC_HSM_SOC
++			|| card->type == SC_CARD_TYPE_SC_HSM_GOID) {
++		card->max_recv_size = 0x0630;	// SoC Proxy forces this limit
++	} else {
++		// Adjust to the limits set by the reader
++		if (card->reader->max_send_size < card->max_send_size) {
++			if (18 >= card->reader->max_send_size)
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_INCONSISTENT_CONFIGURATION);
++
++			// 17 byte header and TLV because of odd ins in UPDATE BINARY
++			card->max_send_size = card->reader->max_send_size - 17;
++		}
++
++		if (0 < card->reader->max_recv_size) {
++			if (3 >= card->reader->max_recv_size)
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_INCONSISTENT_CONFIGURATION);
++			card->max_recv_size = card->reader->max_recv_size - 2;
++		}
++	}
++
++	priv = card->drv_data;
++	if (!priv) {
++		priv = calloc(1, sizeof(sc_hsm_private_data_t));
++		if (!priv)
++			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
++		card->drv_data = priv;
++	}
++
+ 	sc_path_set(&path, SC_PATH_TYPE_DF_NAME, sc_hsm_aid.value, sc_hsm_aid.len, 0, 0);
+ 	if (sc_hsm_select_file_ex(card, &path, 0, &file) == SC_SUCCESS
+ 			&& file && file->prop_attr && file->prop_attr_len >= 2) {
+@@ -1839,25 +1881,6 @@ static int sc_hsm_init(struct sc_card *card)
+ 	}
+ 	sc_file_free(file);
+ 
+-	// APDU Buffer limits
+-	//   JCOP 2.4.1r3           1462
+-	//   JCOP 2.4.2r3           1454
+-	//   JCOP 3                 1232
+-	//   MicroSD with JCOP 3    478 / 506
+-	//   Reiner SCT             1014
+-
+-	card->max_send_size = 1232 - 17;	// 1232 buffer size - 17 byte header and TLV because of odd ins in UPDATE BINARY
+-
+-	if (!strncmp("Secure Flash Card", card->reader->name, 17)) {
+-		card->max_send_size = 478 - 17;
+-		card->max_recv_size = 506 - 2;
+-	} else if (card->type == SC_CARD_TYPE_SC_HSM_SOC
+-			|| card->type == SC_CARD_TYPE_SC_HSM_GOID) {
+-		card->max_recv_size = 0x0630;	// SoC Proxy forces this limit
+-	} else {
+-		card->max_recv_size = 0;		// Card supports sending with extended length APDU and without limit
+-	}
+-
+ 	priv->EF_C_DevAut = NULL;
+ 	priv->EF_C_DevAut_len = 0;
+ 
+@@ -1883,13 +1906,11 @@ static int sc_hsm_finish(sc_card_t * card)
+ #ifdef ENABLE_SM
+ 	sc_sm_stop(card);
+ #endif
+-	if (priv->serialno) {
++	if (priv) {
+ 		free(priv->serialno);
+-	}
+-	if (priv->dffcp) {
+ 		sc_file_free(priv->dffcp);
++		free(priv->EF_C_DevAut);
+ 	}
+-	free(priv->EF_C_DevAut);
+ 	free(priv);
+ 
+ 	return SC_SUCCESS;
+diff --git a/src/libopensc/reader-pcsc.c b/src/libopensc/reader-pcsc.c
+index 40bfd293d3..04d5ac8fdd 100644
+--- a/src/libopensc/reader-pcsc.c
++++ b/src/libopensc/reader-pcsc.c
+@@ -311,7 +311,7 @@ static int pcsc_transmit(sc_reader_t *reader, sc_apdu_t *apdu)
+ 	 * The buffer for the returned data needs to be at least 2 bytes
+ 	 * larger than the expected data length to store SW1 and SW2. */
+ 	rsize = rbuflen = apdu->resplen <= 256 ? 258 : apdu->resplen + 2;
+-	rbuf     = malloc(rbuflen);
++	rbuf = malloc(rbuflen);
+ 	if (rbuf == NULL) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
+ 		goto out;
+@@ -424,7 +424,7 @@ static int refresh_attributes(sc_reader_t *reader)
+ 		if (priv->reader_state.cbAtr > SC_MAX_ATR_SIZE)
+ 			return SC_ERROR_INTERNAL;
+ 
+-		/* Some cards have a different cold (after a powerup) and warm (after a reset) ATR  */
++		/* Some cards have a different cold (after a powerup) and warm (after a reset) ATR */
+ 		if (memcmp(priv->reader_state.rgbAtr, reader->atr.value, priv->reader_state.cbAtr) != 0) {
+ 			reader->atr.len = priv->reader_state.cbAtr;
+ 			memcpy(reader->atr.value, priv->reader_state.rgbAtr, reader->atr.len);
+@@ -556,7 +556,7 @@ static int pcsc_reconnect(sc_reader_t * reader, DWORD action)
+ 			priv->gpriv->connect_exclusive ? SCARD_SHARE_EXCLUSIVE : SCARD_SHARE_SHARED,
+ 			protocol, action, &active_proto);
+ 
+-	
++
+ 	PCSC_TRACE(reader, "SCardReconnect returned", rv);
+ 	if (rv != SCARD_S_SUCCESS) {
+ 		PCSC_TRACE(reader, "SCardReconnect failed", rv);
+@@ -593,7 +593,7 @@ static void initialize_uid(sc_reader_t *reader)
+ 			sc_log_hex(reader->ctx, "UID",
+ 					reader->uid.value, reader->uid.len);
+ 		} else {
+-			sc_log(reader->ctx,  "unable to get UID");
++			sc_log(reader->ctx, "unable to get UID");
+ 		}
+ 	}
+ }
+@@ -1240,11 +1240,11 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle)
+ 					sc_log(ctx, "Reader has a display: %04X", caps->wLcdLayout);
+ 					reader->capabilities |= SC_READER_CAP_DISPLAY;
+ 				}
+-				else   {
++				else {
+ 					sc_log(ctx, "Reader does not have a display.");
+ 				}
+ 			}
+-			else   {
++			else {
+ 				sc_log(ctx,
+ 						"Returned PIN properties structure has bad length (%lu/%"SC_FORMAT_LEN_SIZE_T"u)",
+ 						(unsigned long)rcount,
+@@ -1304,7 +1325,7 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle)
+ 		}
+ 
+ 		rcount = sizeof i;
+-		if(gpriv->SCardGetAttrib(card_handle, SCARD_ATTR_VENDOR_IFD_VERSION,
++		if (gpriv->SCardGetAttrib(card_handle, SCARD_ATTR_VENDOR_IFD_VERSION,
+ 					(u8 *) &i, &rcount) == SCARD_S_SUCCESS
+ 				&& rcount == sizeof i) {
+ 			reader->version_major = (i >> 24) & 0xFF;
+@@ -1314,7 +1335,7 @@ static void detect_reader_features(sc_reader_t *reader, SCARDHANDLE card_handle)
+ }
+ 
+ int pcsc_add_reader(sc_context_t *ctx,
+-	   	char *reader_name, size_t reader_name_len,
++		char *reader_name, size_t reader_name_len,
+ 		sc_reader_t **out_reader)
+ {
+ 	int ret = SC_ERROR_INTERNAL;
+@@ -1574,7 +1595,7 @@ static int pcsc_wait_for_event(sc_context_t *ctx, unsigned int event_mask, sc_re
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
+-	if (!event_reader && !event && reader_states)   {
++	if (!event_reader && !event && reader_states) {
+ 		sc_log(ctx, "free allocated reader states");
+ 		free(*reader_states);
+ 		*reader_states = NULL;
+@@ -1958,7 +1979,7 @@ static int part10_build_modify_pin_block(struct sc_reader *reader, u8 * buf, siz
+ 	sc_apdu_t *apdu = data->apdu;
+ 	u8 tmp;
+ 	unsigned int tmp16;
+-	PIN_MODIFY_STRUCTURE *pin_modify  = (PIN_MODIFY_STRUCTURE *)buf;
++	PIN_MODIFY_STRUCTURE *pin_modify = (PIN_MODIFY_STRUCTURE *)buf;
+ 	struct sc_pin_cmd_pin *pin_ref =
+ 		data->flags & SC_PIN_CMD_IMPLICIT_CHANGE ?
+ 		&data->pin2 : &data->pin1;

0011-opensc-CVE-2023-40661-5of12.patch

@@ -0,0 +1,61 @@
+From dd138d0600a1acd7991989127f36827e5836b24e Mon Sep 17 00:00:00 2001
+From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>
+Date: Thu, 16 Mar 2023 22:12:49 +0100
+Subject: [PATCH] Fixed loop in sc_hsm_write_ef, handle offset into buf and
+ into EF separately
+
+---
+ src/libopensc/card-sc-hsm.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
+index 1b707f08df..c100a87c2a 100644
+--- a/src/libopensc/card-sc-hsm.c
++++ b/src/libopensc/card-sc-hsm.c
+@@ -782,7 +782,7 @@ static int sc_hsm_logout(sc_card_t * card)
+ }
+ 
+ 
+-
++/* NOTE: idx is an offset into the card's file, not into buf */
+ static int sc_hsm_read_binary(sc_card_t *card,
+ 			       unsigned int idx, u8 *buf, size_t count,
+ 			       unsigned long flags)
+@@ -823,7 +823,7 @@ static int sc_hsm_read_binary(sc_card_t *card,
+ }
+ 
+ 
+-
++/* NOTE: idx is an offset into the card's file, not into buf */
+ static int sc_hsm_write_ef(sc_card_t *card,
+ 			       int fid,
+ 			       unsigned int idx, const u8 *buf, size_t count)
+@@ -848,7 +848,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 	// 8 bytes are required for T54(4) and T53(4)
+ 	size_t blk_size = card->max_send_size - 8;
+ 	size_t to_send = 0;
+-	size_t offset = (size_t) idx;
++	size_t file_offset = (size_t) idx;
++	size_t offset = 0;
+ 	do {
+ 		len = 0;
+ 		to_send = bytes_left >= blk_size ? blk_size : bytes_left;
+@@ -856,8 +857,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 		// ASN1 0x54 offset
+ 		*p++ = 0x54;
+ 		*p++ = 0x02;
+-		*p++ = (offset >> 8) & 0xFF;
+-		*p++ = offset & 0xFF;
++		*p++ = (file_offset >> 8) & 0xFF;
++		*p++ = file_offset & 0xFF;
+ 		// ASN1 0x53 to_send
+ 		*p++ = 0x53;
+ 		if (to_send < 128) {
+@@ -890,6 +891,7 @@ static int sc_hsm_write_ef(sc_card_t *card,
+ 
+ 		bytes_left -= to_send;
+ 		offset += to_send;
++		file_offset += to_send;
+ 	} while (0 < bytes_left);
+ 
+ err:

0012-opensc-CVE-2023-40661-6of12.patch

@@ -0,0 +1,25 @@
+From c449a181a6988cc1e8dc8764d23574e48cdc3fa6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Mon, 19 Jun 2023 16:14:51 +0200
+Subject: [PATCH] pkcs15-cflex: check path length to prevent underflow
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932
+---
+ src/pkcs15init/pkcs15-cflex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/pkcs15init/pkcs15-cflex.c b/src/pkcs15init/pkcs15-cflex.c
+index d06568073d..ce1d48e62c 100644
+--- a/src/pkcs15init/pkcs15-cflex.c
++++ b/src/pkcs15init/pkcs15-cflex.c
+@@ -56,6 +56,9 @@ cflex_delete_file(sc_profile_t *profile, sc_pkcs15_card_t *p15card, sc_file_t *d
+         int             r = 0;
+         /* Select the parent DF */
+         path = df->path;
++		if (path.len < 2) {
++			return SC_ERROR_INVALID_ARGUMENTS;
++		}
+         path.len -= 2;
+         r = sc_select_file(p15card->card, &path, &parent);
+         if (r < 0)

0013-opensc-CVE-2023-40661-7of12.patch

@@ -0,0 +1,27 @@
+From 88880db0307a07e33cf2e1592bb029e9c170dfea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 21 Jun 2023 15:48:27 +0200
+Subject: [PATCH] pkcs15-pubkey: free DER value when parsing public key fails
+
+The der value might be allocated in asn1_decode_entry()
+but it is not released when errror occurs.
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59615
+---
+ src/libopensc/pkcs15-pubkey.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index 4a0ddffbeb..7107c47cbc 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -351,6 +351,8 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card,
+ err:
+ 	if (r < 0) {
+ 		sc_pkcs15_free_pubkey_info(info);
++		if (der->len)
++			free(der->value);
+ 	}
+ 
+ 	LOG_FUNC_RETURN(ctx, r);

0014-opensc-CVE-2023-40661-8of12.patch

@@ -0,0 +1,29 @@
+From 638a5007a5d240d6fa901aa822cfeef94fe36e85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 10 Aug 2023 12:20:33 +0200
+Subject: [PATCH] pkcs15-pubkey.c: Avoid double-free
+
+Thanks OSS-Fuzz
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616
+---
+ src/libopensc/pkcs15-pubkey.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index 7107c47cbc..49b514968b 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -351,8 +351,12 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card,
+ err:
+ 	if (r < 0) {
+ 		sc_pkcs15_free_pubkey_info(info);
+-		if (der->len)
++		if (der->len) {
+ 			free(der->value);
++			/* der points to obj->content */
++			obj->content.value = NULL;
++			obj->content.len = 0;
++		}
+ 	}
+ 
+ 	LOG_FUNC_RETURN(ctx, r);

0015-opensc-CVE-2023-40661-9of12.patch

@@ -0,0 +1,27 @@
+From ce7fcdaa35196706a83fe982900228e15464f928 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 11:55:06 +0200
+Subject: [PATCH] oberthur: Avoid heap buffer overflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
+---
+ src/pkcs15init/pkcs15-oberthur.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c
+index 377e28948e..b20bd6e6c4 100644
+--- a/src/pkcs15init/pkcs15-oberthur.c
++++ b/src/pkcs15init/pkcs15-oberthur.c
+@@ -531,7 +531,9 @@ cosm_new_file(struct sc_profile *profile, struct sc_card *card,
+ 	}
+ 
+ 	file->id |= (num & 0xFF);
+-	file->path.value[file->path.len-1] |= (num & 0xFF);
++	if (file->path.len) {
++		file->path.value[file->path.len - 1] |= (num & 0xFF);
++	}
+ 	if (file->type == SC_FILE_TYPE_INTERNAL_EF)   {
+ 		file->ef_structure = structure;
+ 	}

0016-opensc-CVE-2023-40661-10of12.patch

@@ -0,0 +1,25 @@
+From 440ca666eff10cc7011901252d20f3fc4ea23651 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 13:41:36 +0200
+Subject: [PATCH] setcos: Avoid buffer underflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672
+---
+ src/pkcs15init/pkcs15-setcos.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/pkcs15init/pkcs15-setcos.c
++++ b/src/pkcs15init/pkcs15-setcos.c
+@@ -349,6 +349,10 @@ setcos_create_key(sc_profile_t *profile,
+ 
+ 	/* Replace the path of instantiated key template by the path from the object data. */
+         memcpy(&file->path, &key_info->path, sizeof(file->path));
++	if (file->path.len < 2) {
++		sc_file_free(file);
++		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Invalid path");
++	}
+         file->id = file->path.value[file->path.len - 2] * 0x100
+ 		+ file->path.value[file->path.len - 1];
+ 

0017-opensc-CVE-2023-40661-11of12.patch

@@ -0,0 +1,38 @@
+From 245efe608d083fd4e4ec96793fdefd218e26fde7 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 17 Aug 2023 13:54:42 +0200
+Subject: [PATCH] pkcs15: Avoid buffer overflow when getting last update
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
+---
+ src/libopensc/pkcs15.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/src/libopensc/pkcs15.c
++++ b/src/libopensc/pkcs15.c
+@@ -528,7 +528,7 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1
+ 	struct sc_context *ctx  = p15card->card->ctx;
+ 	struct sc_file *file = NULL;
+ 	struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
+-	unsigned char *content, last_update[32];
++	unsigned char *content, last_update[32] = {0};
+ 	size_t lupdate_len = sizeof(last_update) - 1;
+ 	int r, content_len;
+ 	size_t size;
+@@ -564,9 +564,11 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1
+ 	if (r < 0)
+ 		return NULL;
+ 
+-	p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
+-	if (!p15card->tokeninfo->last_update.gtime)
+-		return NULL;
++	if (asn1_last_update[0].flags & SC_ASN1_PRESENT) {
++		p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
++		if (!p15card->tokeninfo->last_update.gtime)
++			return NULL;
++	}
+ done:
+ 	sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime);
+ 	return p15card->tokeninfo->last_update.gtime;

0018-opensc-CVE-2023-40661-12of12.patch

@@ -0,0 +1,26 @@
+From 41d61da8481582e12710b5858f8b635e0a71ab5e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 20 Sep 2023 10:13:57 +0200
+Subject: [PATCH] oberthur: Avoid buffer overflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
+---
+ src/pkcs15init/pkcs15-oberthur.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/pkcs15init/pkcs15-oberthur.c b/src/pkcs15init/pkcs15-oberthur.c
+index ad2cabd530..c441ab1e76 100644
+--- a/src/pkcs15init/pkcs15-oberthur.c
++++ b/src/pkcs15init/pkcs15-oberthur.c
+@@ -715,6 +715,9 @@ cosm_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 	if (object->type != SC_PKCS15_TYPE_PRKEY_RSA)
+ 		LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Create key failed: RSA only supported");
+ 
++	if (key_info->path.len < 2)
++		LOG_TEST_RET(ctx, SC_ERROR_OBJECT_NOT_VALID, "The path needs to be at least to bytes long");
++
+ 	sc_log(ctx,  "create private key ID:%s",  sc_pkcs15_print_id(&key_info->id));
+ 	/* Here, the path of private key file should be defined.
+ 	 * Nevertheless, we need to instantiate private key to get the ACLs. */

backport-0001-CVE-2021-42782-tcos-prevent-out-of-bounds-read.patch

@@ -0,0 +1,25 @@
+From 78cdab949f098ad7e593d853229fccf57d749d0c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 30 Nov 2020 17:43:03 +0100
+Subject: [PATCH] tcos: prevent out of bounds read
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27719
+---
+ src/libopensc/pkcs15-tcos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index 60de1470eb..1134ac11ba 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -152,7 +152,7 @@ static int insert_key(
+ 			sc_log(ctx, "No EF_KEYD-Record found\n");
+ 			return 1;
+ 		}
+-		for (i = 0; i < r; i += 2 + buf[i + 1]) {
++		for (i = 0; i + 1 < r; i += 2 + buf[i + 1]) {
+ 			if (buf[i] == 0xB6)
+ 				can_sign++;
+ 			if (buf[i] == 0xB8)

backport-0002-CVE-2021-42782-coolkey-Initialize-potentially.patch

@@ -0,0 +1,26 @@
+From 7114fb71b54ddfe06ce5dfdab013f4c38f129d14 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 24 Mar 2021 10:57:27 +0100
+Subject: [PATCH] coolkey: Initialize potentially uninitialized memory
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28855
+---
+ src/libopensc/pkcs15-coolkey.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-coolkey.c b/src/libopensc/pkcs15-coolkey.c
+index 373ec7a5a9..586475ddee 100644
+--- a/src/libopensc/pkcs15-coolkey.c
++++ b/src/libopensc/pkcs15-coolkey.c
+@@ -425,7 +425,8 @@ coolkey_get_public_key_from_certificate(sc_pkcs15_card_t *p15card, sc_cardctl_co
+ 	sc_pkcs15_pubkey_t *key = NULL;
+ 	int r;
+ 
+-	cert_info.value.value = NULL;
++	memset(&cert_info, 0, sizeof(cert_info));
++
+ 	r = coolkey_get_certificate(p15card->card, obj, &cert_info.value);
+ 	if (r < 0) {
+ 		goto fail;

backport-0004-CVE-2021-42782-iasecc-Prevent-stack-buffer.patch

@@ -0,0 +1,26 @@
+From ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Feb 2021 11:22:54 +0100
+Subject: [PATCH] iasecc: Prevent stack buffer overflow when empty ACL is
+ returned
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800
+---
+ src/libopensc/card-iasecc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
+index 166bc307bc..0eec63363a 100644
+--- a/src/libopensc/card-iasecc.c
++++ b/src/libopensc/card-iasecc.c
+@@ -1171,7 +1171,7 @@ iasecc_process_fci(struct sc_card *card, struct sc_file *file,
+ 	else
+ 		acls = sc_asn1_find_tag(ctx, buf, buflen, IASECC_DOCP_TAG_ACLS_CONTACT, &taglen);
+ 
+-	if (!acls)   {
++	if (!acls || taglen < 7)   {
+ 		sc_log(ctx,
+ 		       "ACLs not found in data(%"SC_FORMAT_LEN_SIZE_T"u) %s",
+ 		       buflen, sc_dump_hex(buf, buflen));

backport-0005-CVE-2021-42782-PIV-Improved-parsing.patch

@@ -0,0 +1,223 @@
+From 456ac566938a1da774db06126a2fa6c0cba514b3 Mon Sep 17 00:00:00 2001
+From: Doug Engert <deengert@gmail.com>
+Date: Wed, 14 Jul 2021 11:15:10 -0500
+Subject: [PATCH] PIV Improved parsing of data from the card
+
+Based on Fuzz testing, many of the calls to sc_asn1_find_tag were replaced
+with sc_asn1_read_tag. The input is also tested that the
+expected tag is  the first byte. Additional tests are also add.
+
+sc_asn1_find_tag will skip 0X00 or 0Xff if found. NIST sp800-73-x specs
+do not allow these extra bytes.
+
+ On branch PIV-improved-parsing
+ Changes to be committed:
+	modified:   card-piv.c
+---
+ src/libopensc/card-piv.c | 112 +++++++++++++++++++++------------------
+ 1 file changed, 60 insertions(+), 52 deletions(-)
+
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index f144b2ccef..77e4864f66 100644
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -608,14 +608,12 @@ static int piv_generate_key(sc_card_t *card,
+ 		const u8 *cp;
+ 		keydata->exponent = 0;
+ 
+-		/* expected tag is 7f49.  */
+-		/* we will whatever tag is present */
+-
+ 		cp = rbuf;
+ 		in_len = r;
+ 
++		/* expected tag is 0x7f49,returned as cla_out == 0x60 and tag_out = 0x1F49 */
+ 		r = sc_asn1_read_tag(&cp, in_len, &cla_out, &tag_out, &in_len);
+-		if (cp == NULL) {
++		if (cp == NULL || in_len == 0 || cla_out != 0x60 || tag_out != 0x1f49) {
+ 			r = SC_ERROR_ASN1_OBJECT_NOT_FOUND;
+ 		}
+ 		if (r != SC_SUCCESS) {
+@@ -1032,7 +1030,7 @@ piv_cache_internal_data(sc_card_t *card, int enumtag)
+ 			priv->obj_cache[enumtag].obj_len,
+ 			0x53, &bodylen);
+ 
+-	if (body == NULL)
++	if (body == NULL || priv->obj_cache[enumtag].obj_data[0] != 0x53)
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_OBJECT_NOT_VALID);
+ 
+ 	/* get the certificate out */
+@@ -1611,7 +1609,7 @@ static int piv_general_mutual_authenticate(sc_card_t *card,
+ 	/* Remove the encompassing outer TLV of 0x7C and get the data */
+ 	body = sc_asn1_find_tag(card->ctx, rbuf,
+ 		r, 0x7C, &body_len);
+-	if (!body) {
++	if (!body || rbuf[0] != 0x7C) {
+ 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid Witness Data response of NULL\n");
+ 		r =  SC_ERROR_INVALID_DATA;
+ 		goto err;
+@@ -1753,7 +1751,7 @@ static int piv_general_mutual_authenticate(sc_card_t *card,
+ 	/* Remove the encompassing outer TLV of 0x7C and get the data */
+ 	body = sc_asn1_find_tag(card->ctx, rbuf,
+ 		r, 0x7C, &body_len);
+-	if(!body) {
++	if(!body || rbuf[0] != 0x7C) {
+ 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not find outer tag 0x7C in response");
+ 		r =  SC_ERROR_INVALID_DATA;
+ 		goto err;
+@@ -1914,7 +1912,7 @@ static int piv_general_external_authenticate(sc_card_t *card,
+ 	/* Remove the encompassing outer TLV of 0x7C and get the data */
+ 	body = sc_asn1_find_tag(card->ctx, rbuf,
+ 		r, 0x7C, &body_len);
+-	if (!body) {
++	if (!body || rbuf[0] != 0x7C) {
+ 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Invalid Challenge Data response of NULL\n");
+ 		r =  SC_ERROR_INVALID_DATA;
+ 		goto err;
+@@ -2079,7 +2077,7 @@ piv_get_serial_nr_from_CHUI(sc_card_t* card, sc_serial_number_t* serial)
+ 	r = SC_ERROR_INTERNAL;
+ 	if (rbuflen != 0) {
+ 		body = sc_asn1_find_tag(card->ctx, rbuf, rbuflen, 0x53, &bodylen); /* Pass the outer wrapper asn1 */
+-		if (body != NULL && bodylen != 0) {
++		if (body != NULL && bodylen != 0 && rbuf[0] == 0x53) {
+ 			fascn = sc_asn1_find_tag(card->ctx, body, bodylen, 0x30, &fascnlen); /* Find the FASC-N data */
+ 			guid = sc_asn1_find_tag(card->ctx, body, bodylen, 0x34, &guidlen);
+ 
+@@ -2311,10 +2309,10 @@ static int piv_validate_general_authentication(sc_card_t *card,
+ 	piv_private_data_t * priv = PIV_DATA(card);
+ 	int r, tmplen, tmplen2;
+ 	u8 *p;
+-	const u8 *tag;
++	const unsigned char *p2;
+ 	size_t taglen;
+-	const u8 *body;
+ 	size_t bodylen;
++	unsigned int cla, tag;
+ 	unsigned int real_alg_id, op_tag;
+ 
+ 	u8 sbuf[4096]; /* needs work. for 3072 keys, needs 384+10 or so */
+@@ -2367,20 +2365,28 @@ static int piv_validate_general_authentication(sc_card_t *card,
+ 
+ 	r = piv_general_io(card, 0x87, real_alg_id, priv->key_ref,
+ 			sbuf, p - sbuf, rbuf, sizeof rbuf);
++	if (r < 0)
++		goto err;
+ 
+-	if (r >= 0) {
+-		body = sc_asn1_find_tag(card->ctx, rbuf, r, 0x7c, &bodylen);
+-		if (body) {
+-			tag = sc_asn1_find_tag(card->ctx, body,  bodylen, 0x82, &taglen);
+-			if (tag) {
+-				memcpy(out, tag, taglen);
+-				r = taglen;
+-			} else
+-				r = SC_ERROR_INVALID_DATA;
+-		} else
+-			r = SC_ERROR_INVALID_DATA;
++	p2 = rbuf;
++	r = sc_asn1_read_tag(&p2, r, &cla, &tag, &bodylen);
++	if (p2 == NULL || r < 0 || bodylen == 0 || (cla|tag) != 0x7C) {
++		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA, "Can't find 0x7C");
++        }
++
++	r = sc_asn1_read_tag(&p2, bodylen, &cla, &tag, &taglen);
++	if (p2 == NULL || r < 0 || taglen == 0 || (cla|tag) != 0x82) {
++		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA, "Can't find 0x82");
+ 	}
+ 
++	if (taglen > outlen) {
++		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA, "data read longer then buffer");
++	}
++
++	memcpy(out, p2, taglen);
++	r = taglen;
++
++err:
+ 	LOG_FUNC_RETURN(card->ctx, r);
+ }
+ 
+@@ -2394,19 +2400,19 @@ piv_compute_signature(sc_card_t *card, const u8 * data, size_t datalen,
+ 	int i;
+ 	size_t nLen;
+ 	u8 rbuf[128]; /* For EC conversions  384 will fit */
+-	const u8 * body;
+-	size_t bodylen;
+-	const u8 * tag;
+-	size_t taglen;
++	const unsigned char *pseq, *pint, *ptemp, *pend;
++	unsigned int cla, tag;
++	size_t seqlen;
++	size_t intlen;
++	size_t templen;
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 
+ 	/* The PIV returns a DER SEQUENCE{INTEGER, INTEGER}
+-	 * Which may have leading 00 to force positive
+-	 * TODO: -DEE should check if PKCS15 want the same
+-	 * But PKCS11 just wants 2* filed_length in bytes
++	 * Which may have leading 00 to force a positive integer
++	 * But PKCS11 just wants 2* field_length in bytes
+ 	 * So we have to strip out the integers
+-	 * if present and pad on left if too short.
++	 * and pad on left if too short.
+ 	 */
+ 
+ 	if (priv->alg_id == 0x11 || priv->alg_id == 0x14 ) {
+@@ -2424,32 +2430,34 @@ piv_compute_signature(sc_card_t *card, const u8 * data, size_t datalen,
+ 		if (r < 0)
+ 			goto err;
+ 
+-		body = sc_asn1_find_tag(card->ctx, rbuf, r, 0x30, &bodylen);
+-
+-		for (i = 0; i<2; i++) {
+-			if (body) {
+-				tag = sc_asn1_find_tag(card->ctx, body,  bodylen, 0x02, &taglen);
+-				if (tag) {
+-					bodylen -= taglen - (tag - body);
+-					body = tag + taglen;
+-
+-					if (taglen > nLen) { /* drop leading 00 if present */
+-						if (*tag != 0x00) {
+-							r = SC_ERROR_INVALID_DATA;
+-							goto err;
+-						}
+-						tag++;
+-						taglen--;
+-					}
+-					memcpy(out + nLen*i + nLen - taglen , tag, taglen);
+-				} else {
++		pseq = rbuf;
++		r = sc_asn1_read_tag(&pseq, r, &cla, &tag, &seqlen);
++		if (pseq == NULL || r < 0 || seqlen == 0 || (cla|tag) != 0x30)
++			LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA, "Can't find 0x30");
++
++		pint = pseq;
++		pend = pseq + seqlen;
++		for (i = 0; i < 2; i++) {
++			r = sc_asn1_read_tag(&pint, (pend - pint), &cla, &tag, &intlen);
++			if (pint == NULL || r < 0 || intlen == 0 || (cla|tag) != 0x02)
++				LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA, "Can't find 0x02");
++			if (intlen > nLen + 1)
++				LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA,"Signature too long");
++
++			ptemp = pint;
++			templen = intlen;
++			if (intlen > nLen) { /* drop leading 00 if present */
++				if (*ptemp != 0x00) {
++					LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_DATA,"Signature too long");
+ 					r = SC_ERROR_INVALID_DATA;
+ 					goto err;
+ 				}
+-			} else  {
+-				r = SC_ERROR_INVALID_DATA;
+-				goto err;
++				ptemp++;
++				templen--;
+ 			}
++			memcpy(out + nLen*i + nLen - templen , ptemp, templen);
++			pint += intlen; /* next integer */
++			
+ 		}
+ 		r = 2 * nLen;
+ 	} else { /* RSA is all set */

backport-0006-CVE-2023-2977-correct_left_length_calculation_to_fix_buffer.patch

@@ -0,0 +1,49 @@
+From 3bf3ab2f9091f984cda6dd910654ccbbe3f06a40 Mon Sep 17 00:00:00 2001
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
+ overrun bug. Fixes #2785
+
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
++	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)

backport-CVE-2021-42778-idprime-Use-temporary.patch

@@ -0,0 +1,54 @@
+From f015746d22d249642c19674298a18ad824db0ed7 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 2 Dec 2020 13:15:11 +0100
+Subject: [PATCH] idprime: Use temporary variable instead of messing up the
+ passed one
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185
+---
+ src/libopensc/card-idprime.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/card-idprime.c b/src/libopensc/card-idprime.c
+index cf933140c1..8ca393d11d 100644
+--- a/src/libopensc/card-idprime.c
++++ b/src/libopensc/card-idprime.c
+@@ -418,6 +418,7 @@ static int idprime_get_token_name(sc_card_t* card, char** tname)
+ 	sc_path_t tinfo_path = {"\x00\x00", 2, 0, 0, SC_PATH_TYPE_PATH, {"", 0}};
+ 	sc_file_t *file = NULL;
+ 	u8 buf[2];
++	char *name;
+ 	int r;
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+@@ -445,20 +446,22 @@ static int idprime_get_token_name(sc_card_t* card, char** tname)
+ 	}
+ 	sc_file_free(file);
+ 
+-	*tname = malloc(buf[1]);
+-	if (*tname == NULL) {
++	name = malloc(buf[1]);
++	if (name == NULL) {
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+ 	}
+ 
+-	r = iso_ops->read_binary(card, 2, (unsigned char *)*tname, buf[1], 0);
++	r = iso_ops->read_binary(card, 2, (unsigned char *)name, buf[1], 0);
+ 	if (r < 1) {
+-		free(*tname);
++		free(name);
+ 		LOG_FUNC_RETURN(card->ctx, r);
+ 	}
+ 
+-	if ((*tname)[r-1] != '\0') {
+-		(*tname)[r-1] = '\0';
++	if (name[r-1] != '\0') {
++		name[r-1] = '\0';
+ 	}
++	*tname = name;
++
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+ 

backport-CVE-2021-42780-tcos-Check-bounds-in-insert_pin.patch

@@ -0,0 +1,33 @@
+From 5df913b7f57ad89b9832555d24c08d23a534311e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 8 Dec 2020 14:37:39 +0100
+Subject: [PATCH] tcos: Check bounds in insert_pin()
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383
+---
+ src/libopensc/pkcs15-tcos.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index feeb7eb39d..74ae0cb92f 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -242,13 +242,13 @@ static int insert_pin(
+ 			"Searching for PIN-Ref %02X\n", pin_reference);
+ 		while ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {
+ 			int found = 0, fbz = -1;
+-			if (buf[0] != 0xA0)
++			if (r < 2 || buf[0] != 0xA0)
+ 				continue;
+-			for (i = 2; i < buf[1] + 2; i += 2 + buf[i + 1]) {
++			for (i = 2; i < buf[1] + 2 && (i + 2) < r; i += 2 + buf[i + 1]) {
+ 				if (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == pin_reference) {
+ 					++found;
+ 				}
+-				if (buf[i] == 0x90) {
++				if (buf[i] == 0x90 && (i + 1 + buf[i + 1]) < r) {
+ 					fbz = buf[i + 1 + buf[i + 1]];
+ 				}
+ 			}

backport-tcos-Reformat-insert_pin-for-readability.patch

@@ -0,0 +1,73 @@
+From 69544553c36f0613f6283e0eeb3f9eb549825986 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 7 Dec 2020 17:44:34 +0100
+Subject: [PATCH] tcos: Reformat insert_pin() for readability
+
+---
+ src/libopensc/pkcs15-tcos.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index 1134ac11ba..feeb7eb39d 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -225,12 +225,14 @@ static int insert_pin(
+ 	pin_obj.auth_id.len      = auth_id ? 0 : 1;
+ 	pin_obj.auth_id.value[0] = auth_id;
+ 
+-	if(card->type==SC_CARD_TYPE_TCOS_V3){
++	if(card->type == SC_CARD_TYPE_TCOS_V3) {
+ 		unsigned char buf[256];
+ 		int i, rec_no=0;
+-		if(pin_info.path.len>=2) pin_info.path.len-=2;
++		if (pin_info.path.len >= 2) {
++			pin_info.path.len -= 2;
++		}
+ 		sc_append_file_id(&pin_info.path, 0x5049);
+-		if(sc_select_file(card, &pin_info.path, NULL)!=SC_SUCCESS){
++		if (sc_select_file(card, &pin_info.path, NULL) != SC_SUCCESS) {
+ 			sc_log(ctx, 
+ 				"Select(%s) failed\n",
+ 				sc_print_path(&pin_info.path));
+@@ -238,17 +240,24 @@ static int insert_pin(
+ 		}
+ 		sc_log(ctx, 
+ 			"Searching for PIN-Ref %02X\n", pin_reference);
+-		while((r=sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR))>0){
+-			int found=0, fbz=-1;
+-			if(buf[0]!=0xA0) continue;
+-			for(i=2;i<buf[1]+2;i+=2+buf[i+1]){
+-				if(buf[i]==0x83 && buf[i+1]==1 && buf[i+2]==pin_reference) ++found;
+-				if(buf[i]==0x90) fbz=buf[i+1+buf[i+1]];
++		while ((r = sc_read_record(card, ++rec_no, buf, sizeof(buf), SC_RECORD_BY_REC_NR)) > 0) {
++			int found = 0, fbz = -1;
++			if (buf[0] != 0xA0)
++				continue;
++			for (i = 2; i < buf[1] + 2; i += 2 + buf[i + 1]) {
++				if (buf[i] == 0x83 && buf[i + 1] == 1 && buf[i + 2] == pin_reference) {
++					++found;
++				}
++				if (buf[i] == 0x90) {
++					fbz = buf[i + 1 + buf[i + 1]];
++				}
++			}
++			if (found) {
++				pin_info.tries_left = fbz;
++				break;
+ 			}
+-			if(found) pin_info.tries_left=fbz;
+-			if(found) break;
+ 		}
+-		if(r<=0){
++		if (r <= 0) {
+ 			sc_log(ctx, "No EF_PWDD-Record found\n");
+ 			return 1;
+ 		}
+@@ -259,6 +268,6 @@ static int insert_pin(
+ 			return 1;
+ 		}
+-		pin_info.tries_left=f->prop_attr[3];
++		pin_info.tries_left = f->prop_attr[3];
+ 		sc_file_free(f);
+ 	}
+ 

opensc.spec

@@ -3,7 +3,7 @@
 
 Name:            opensc
 Version:         0.21.0
-Release:         4
+Release:         9
 License:         LGPLv2.1+
 Summary:         Smart card library and applications
 URL:             https://github.com/OpenSC/OpenSC/wiki
@@ -27,9 +27,31 @@ Patch6:   oberthur-Correctly-check-for-return-values.patch
 Patch7:   oberthur-Avoid-memory-leaks.patch
 Patch8:   oberthur-fixed-Heap-buffer-overflow.patch
 Patch9:   oberthur-One-more-overlooked-buffer-overflow.patch
-Patch10:  cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
-Patch11:  oberthur-Handle-1B-OIDs.patch
-Patch12:  Fix-ACLs-support.patch
+Patch10:  oberthur-Handle-1B-OIDs.patch
+Patch11:  Fix-ACLs-support.patch
+Patch12:  backport-CVE-2021-42778-idprime-Use-temporary.patch
+Patch13:  backport-tcos-Reformat-insert_pin-for-readability.patch
+Patch14:  backport-CVE-2021-42780-tcos-Check-bounds-in-insert_pin.patch
+Patch15:  backport-0001-CVE-2021-42782-tcos-prevent-out-of-bounds-read.patch
+Patch16:  backport-0002-CVE-2021-42782-coolkey-Initialize-potentially.patch
+Patch17:  backport-0003-CVE-2021-42782-cardos-Correctly-calculate-the-left.patch
+Patch18:  backport-0004-CVE-2021-42782-iasecc-Prevent-stack-buffer.patch
+Patch19:  backport-0005-CVE-2021-42782-PIV-Improved-parsing.patch
+Patch20:  backport-0006-CVE-2023-2977-correct_left_length_calculation_to_fix_buffer.patch
+Patch21:  0003-opensc-CVE-2023-40660-1of2.patch
+Patch22:  0004-opensc-CVE-2023-40660-2of2.patch
+Patch23:         0007-opensc-CVE-2023-40661-1of12.patch
+Patch24:         0008-opensc-CVE-2023-40661-2of12.patch
+Patch25:         0009-opensc-CVE-2023-40661-3of12.patch
+Patch26:         0010-opensc-CVE-2023-40661-4of12.patch
+Patch27:         0011-opensc-CVE-2023-40661-5of12.patch
+Patch28:         0012-opensc-CVE-2023-40661-6of12.patch
+Patch29:         0013-opensc-CVE-2023-40661-7of12.patch
+Patch30:         0014-opensc-CVE-2023-40661-8of12.patch
+Patch31:         0015-opensc-CVE-2023-40661-9of12.patch
+Patch32:         0016-opensc-CVE-2023-40661-10of12.patch
+Patch33:         0017-opensc-CVE-2023-40661-11of12.patch
+Patch34:         0018-opensc-CVE-2023-40661-12of12.patch
 
 %description
 OpenSC provides a set of libraries and utilities to work with smart cards.
@@ -148,6 +170,21 @@ make check
 %{_datadir}/opensc/
 
 %changelog
+* Wed Nov  8 2023 dillon chen <dillon.chen@gmail.com> - 0.21.0-9
+- fix CVE-2023-40661
+
+* Mon Oct 23 2023 dillon chen <dillon.chen@gmail.com> - 0.21.0-8
+- fix CVE-2023-40660
+
+* Mon Sep 18 2023 dillon chen <dillon.chen@gmail.com> - 0.21.0-7
+- fix CVE-2023-2977
+
+* Mon May 9 2022 Hugel <gengqihu1@h-partners.com> - 0.21.0-6
+- fix CVE-2021-42782
+
+* Mon May 9 2022 Hugel <gengqihu1@h-partners.com> - 0.21.0-5
+- fix CVE-2021-42778 CVE-2021-42780
+
 * Tue Aug 24 2021 wangjie <wangjie375@huawei.com> - 0.21.0-4
 - fix  oss-fuzz