* [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977
@ 2023-09-19 20:49 Fabrice Fontaine
2023-09-20 17:42 ` Yann E. MORIN
2023-09-25 7:56 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-09-19 20:49 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
A vulnerability was found in OpenSC. This security flaw cause a buffer
overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
attacker can supply a smart card package with malformed ASN1 context.
The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
tags, where remaining length is wrongly caculated due to moved starting
pointer. This leads to possible heap-based buffer oob read. In cases
where ASAN is enabled while compiling this causes a crash. Further info
leak or more damage is possible.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...alculation-to-fix-buffer-overrun-bug.patch | 51 +++++++++++++++++++
package/opensc/opensc.mk | 3 ++
2 files changed, 54 insertions(+)
create mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
new file mode 100644
index 0000000000..079f960b59
--- /dev/null
+++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
@@ -0,0 +1,51 @@
+From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
+ overrun bug. Fixes #2785
+
+Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ sc_apdu_t apdu;
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
+ int r;
+- const u8 *p = rbuf, *q;
++ const u8 *p = rbuf, *q, *pp;
+ size_t len, tlen = 0, ilen = 0;
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ return 0;
+
+ while (len != 0) {
+- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+- if (p == NULL)
++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++ if (pp == NULL)
+ return 0;
+ if (card->type == SC_CARD_TYPE_CARDOS_M4_3) {
+ /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */
+ /* and Package Number 0x07 */
+- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ if (q == NULL || ilen != 4)
+ return 0;
+ if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) {
+ /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */
+ /* and Package Number 0x02 */
+- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ if (q == NULL || ilen != 4)
+ return 0;
+ if (q[0] == 0x02)
diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
index 32f0fdaa8b..823bc50102 100644
--- a/package/opensc/opensc.mk
+++ b/package/opensc/opensc.mk
@@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite
OPENSC_INSTALL_STAGING = YES
OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
+# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
+OPENSC_IGNORE_CVES += CVE-2023-2977
+
$(eval $(autotools-package))
--
2.40.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977
2023-09-19 20:49 [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977 Fabrice Fontaine
@ 2023-09-20 17:42 ` Yann E. MORIN
2023-09-25 7:56 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2023-09-20 17:42 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2023-09-19 22:49 +0200, Fabrice Fontaine spake thusly:
> A vulnerability was found in OpenSC. This security flaw cause a buffer
> overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
> attacker can supply a smart card package with malformed ASN1 context.
> The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
> tags, where remaining length is wrongly caculated due to moved starting
> pointer. This leads to possible heap-based buffer oob read. In cases
> where ASAN is enabled while compiling this causes a crash. Further info
> leak or more damage is possible.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...alculation-to-fix-buffer-overrun-bug.patch | 51 +++++++++++++++++++
> package/opensc/opensc.mk | 3 ++
> 2 files changed, 54 insertions(+)
> create mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
>
> diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> new file mode 100644
> index 0000000000..079f960b59
> --- /dev/null
> +++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> @@ -0,0 +1,51 @@
> +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
> +From: fullwaywang <fullwaywang@tencent.com>
> +Date: Mon, 29 May 2023 10:38:48 +0800
> +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
> + overrun bug. Fixes #2785
> +
> +Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
> +index 9715cf390f..f41f73c349 100644
> +--- a/src/pkcs15init/pkcs15-cardos.c
> ++++ b/src/pkcs15init/pkcs15-cardos.c
> +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + sc_apdu_t apdu;
> + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
> + int r;
> +- const u8 *p = rbuf, *q;
> ++ const u8 *p = rbuf, *q, *pp;
> + size_t len, tlen = 0, ilen = 0;
> +
> + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
> +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + return 0;
> +
> + while (len != 0) {
> +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
> +- if (p == NULL)
> ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
> ++ if (pp == NULL)
> + return 0;
> + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) {
> + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */
> + /* and Package Number 0x07 */
> +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
> ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
> + if (q == NULL || ilen != 4)
> + return 0;
> + if (q[0] == 0x07)
> +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) {
> + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */
> + /* and Package Number 0x02 */
> +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
> ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
> + if (q == NULL || ilen != 4)
> + return 0;
> + if (q[0] == 0x02)
> diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
> index 32f0fdaa8b..823bc50102 100644
> --- a/package/opensc/opensc.mk
> +++ b/package/opensc/opensc.mk
> @@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite
> OPENSC_INSTALL_STAGING = YES
> OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
>
> +# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> +OPENSC_IGNORE_CVES += CVE-2023-2977
> +
> $(eval $(autotools-package))
> --
> 2.40.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977
2023-09-19 20:49 [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977 Fabrice Fontaine
2023-09-20 17:42 ` Yann E. MORIN
@ 2023-09-25 7:56 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-09-25 7:56 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> A vulnerability was found in OpenSC. This security flaw cause a buffer
> overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
> attacker can supply a smart card package with malformed ASN1 context.
> The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
> tags, where remaining length is wrongly caculated due to moved starting
> pointer. This leads to possible heap-based buffer oob read. In cases
> where ASAN is enabled while compiling this causes a crash. Further info
> leak or more damage is possible.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-25 7:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-19 20:49 [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977 Fabrice Fontaine
2023-09-20 17:42 ` Yann E. MORIN
2023-09-25 7:56 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox