[pkg-opensc-maint] Bug#1037025: unblock: opensc/0.23.0-0.3

Bastian Germann bage at debian.org
Thu Jun 1 22:37:00 BST 2023 

Package: release.debian.org
Control: affects -1 + src:opensc
X-Debbugs-Cc: opensc at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package opensc.

[ Reason ]
Fixes CVE-2023-2977.

[ Risks ]
None.

[ Checklist ]
   [x] all changes are documented in the d/changelog
   [x] I reviewed all changes and I approve them
   [x] attach debdiff against the package in testing

unblock opensc/0.23.0-0.3
-------------- next part --------------
diff -Nru opensc-0.23.0/debian/changelog opensc-0.23.0/debian/changelog
--- opensc-0.23.0/debian/changelog	2023-02-13 17:13:20.000000000 +0100
+++ opensc-0.23.0/debian/changelog	2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,10 @@
+opensc (0.23.0-0.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-2977 with upstream patch.
+
+ -- Bastian Germann <bage at debian.org>  Thu, 01 Jun 2023 22:30:18 +0200
+
 opensc (0.23.0-0.2) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
--- opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch	1970-01-01 01:00:00.000000000 +0100
+++ opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch	2023-06-01 22:30:18.000000000 +0200
@@ -0,0 +1,57 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+From: fullwaywang <fullwaywang at tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: pkcs15init: correct left length calculation to fix buffer overrun bug.
+ Fixes #2785
+
+From https://github.com/OpenSC/OpenSC/issues/2785:
+The newly found issue exists in pkcs15-init module. Like the original bug in libopensc,
+cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2 tags.
+The pointer p is moved after each sc_asn1_find_tag invocation,
+which results in the miscalculation of the length of left bytes in buffer
+and hence reading beyond the end of the buffer.
+
+CVE-2023-2977 was assigned for this issue.
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
++	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)
diff -Nru opensc-0.23.0/debian/patches/series opensc-0.23.0/debian/patches/series
--- opensc-0.23.0/debian/patches/series	2023-02-13 17:13:04.000000000 +0100
+++ opensc-0.23.0/debian/patches/series	2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,4 @@
 0001-Use-sysconfdir-opensc-for-opensc.conf.patch
 0002-Fix-private-key-import.patch
 0003-Log-OpenSSL-errors.patch
+0004-pkcs15init-correct-left-length-calculation.patch

More information about the pkg-opensc-maint mailing list