[Buildroot] [PATCH 1/1] package/opensc: security bump to version 0.24.0

* [Buildroot] [PATCH 1/1] package/opensc: security bump to version 0.24.0
@ 2023-12-26 16:11 Fabrice Fontaine
  2023-12-26 20:28 ` Yann E. MORIN
  2024-01-10  9:45 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-12-26 16:11 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

- Drop patches (already in version) and so drop autoreconf
- Fix the following security issues:
  - CVE-2023-40660: Fix Potential PIN bypass
  - CVE-2023-40661: Important dynamic analyzers reports
  - CVE-2023-4535: Out-of-bounds read in MyEID driver handling
    encryption using symmetric keys

https://github.com/OpenSC/OpenSC/releases/tag/0.24.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...ed-compatibility-with-LibreSSL-3.5.0.patch | 54 ---------------
 ...ed-compatibility-with-LibreSSL-3.7.0.patch | 28 --------
 ...onfigure-add-option-to-disable-tests.patch | 67 -------------------
 ...alculation-to-fix-buffer-overrun-bug.patch | 51 --------------
 ...L-does-provide-EVP_sha3_-after-3-7-3.patch | 32 ---------
 ...ixed-detection-of-SHA3-compatibility.patch | 27 --------
 package/opensc/opensc.hash                    |  2 +-
 package/opensc/opensc.mk                      |  7 +-
 8 files changed, 2 insertions(+), 266 deletions(-)
 delete mode 100644 package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
 delete mode 100644 package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
 delete mode 100644 package/opensc/0003-configure-add-option-to-disable-tests.patch
 delete mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
 delete mode 100644 package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
 delete mode 100644 package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch

diff --git a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch b/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
deleted file mode 100644
index 0daf75d5ba..0000000000
--- a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From da01e5fab9be9865db1aac203e574e0edbfd6584 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Wed, 14 Dec 2022 09:31:29 +0100
-Subject: [PATCH] fixed compatibility with LibreSSL >= 3.5.0
-
-fixes https://github.com/OpenSC/OpenSC/issues/2664
-
-Upstream: https://github.com/OpenSC/OpenSC/commit/da01e5fab9be9865db1aac203e574e0edbfd6584
-
-Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
----
- src/libopensc/card-iasecc.c    | 12 +-----------
- src/libopensc/sc-ossl-compat.h |  1 +
- 2 files changed, 2 insertions(+), 11 deletions(-)
-
-diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
-index 480c1cf87b..1347ed2393 100644
---- a/src/libopensc/card-iasecc.c
-+++ b/src/libopensc/card-iasecc.c
-@@ -38,21 +38,11 @@
- #include <openssl/pkcs12.h>
- #include <openssl/x509v3.h>
- 
--/*
-- * OpenSSL-3.0.0 does not allow access to the SHA data
-- * so this driver can not produces signatures
-- * OpenSSL 1.1.1 uses EVP_MD_CTX_md_data
-- * LibreSSL
-- */
--
--#if defined(LIBRESSL_VERSION_NUMBER)
--# define  EVP_MD_CTX_md_data(x)  (x->md_data)
--#endif
--
- #include "internal.h"
- #include "asn1.h"
- #include "cardctl.h"
- #include "opensc.h"
-+#include "sc-ossl-compat.h"
- /* #include "sm.h" */
- #include "pkcs15.h"
- /* #include "hash-strings.h" */
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index da53ca8cee..8c0f96701c 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -42,6 +42,7 @@ extern "C" {
- #define X509_get_extension_flags(x)	(x->ex_flags)
- #define X509_get_key_usage(x)		(x->ex_kusage)
- #define X509_get_extended_key_usage(x)	(x->ex_xkusage)
-+#define EVP_MD_CTX_md_data(x)          (x->md_data)
- #endif
- 
- #if defined(LIBRESSL_VERSION_NUMBER)
diff --git a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch b/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
deleted file mode 100644
index 6bbbea6ce6..0000000000
--- a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Fri, 16 Dec 2022 11:56:28 +0100
-Subject: [PATCH] fixed compatibility with LibreSSL 3.7.0
-
-Upstream: https://github.com/OpenSC/OpenSC/commit/98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6
-
-Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
----
- src/libopensc/sc-ossl-compat.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index 8c0f96701c..4425da93f3 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -54,9 +54,11 @@ extern "C" {
- #define EVP_sha3_256()                          (NULL)
- #define EVP_sha3_384()                          (NULL)
- #define EVP_sha3_512()                          (NULL)
-+#if LIBRESSL_VERSION_NUMBER < 0x3070000fL
- #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL)
- #define EVP_PKEY_get_raw_public_key(p, pu, l)   (0)
- #endif
-+#endif
- 
- /* OpenSSL 1.1.1 has FIPS_mode function */
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L
diff --git a/package/opensc/0003-configure-add-option-to-disable-tests.patch b/package/opensc/0003-configure-add-option-to-disable-tests.patch
deleted file mode 100644
index 29342026c1..0000000000
--- a/package/opensc/0003-configure-add-option-to-disable-tests.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 3c3ed2ecbf31d41b6e5406da55971b9d9eaa3388 Mon Sep 17 00:00:00 2001
-From: Bernd Kuhls <bernd@kuhls.net>
-Date: Mon, 24 Jul 2023 22:28:11 +0200
-Subject: [PATCH] configure: add option to disable tests
-
-Upstream: https://github.com/OpenSC/OpenSC/pull/2822
-
-Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
----
- configure.ac    | 9 +++++++++
- src/Makefile.am | 6 +++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 0a90445b..9b7543da 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -272,6 +272,13 @@ AC_ARG_ENABLE(
- 	[enable_doc="no"]
- )
- 
-+AC_ARG_ENABLE(
-+	[tests],
-+	[AS_HELP_STRING([--enable-tests],[enable tests @<:@enabled@:>@])],
-+	,
-+	[enable_tests="yes"]
-+)
-+
- AC_ARG_ENABLE(
- 	[dnie-ui],
- 	[AS_HELP_STRING([--enable-dnie-ui],[enable use of external user interface program to request DNIe pin@<:@disabled@:>@])],
-@@ -1119,6 +1126,7 @@ AM_CONDITIONAL([ENABLE_NOTIFY], [test "${enable_notify}" = "yes"])
- AM_CONDITIONAL([ENABLE_CRYPTOTOKENKIT], [test "${enable_cryptotokenkit}" = "yes"])
- AM_CONDITIONAL([ENABLE_OPENCT], [test "${enable_openct}" = "yes"])
- AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"])
-+AM_CONDITIONAL([ENABLE_TESTS], [test "${enable_tests}" = "yes"])
- AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
- AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
- AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
-@@ -1213,6 +1221,7 @@ XSL stylesheets:         ${xslstylesheetsdir}
- 
- man support:             ${enable_man}
- doc support:             ${enable_doc}
-+tests:                   ${enable_tests}
- thread locking support:  ${enable_thread_locking}
- zlib support:            ${enable_zlib}
- readline support:        ${enable_readline}
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 3ce465bf..bf71b61f 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -3,7 +3,11 @@ EXTRA_DIST = Makefile.mak
- 
- # Order IS important
- SUBDIRS = common scconf ui pkcs15init sm \
--		  libopensc pkcs11 tools minidriver tests
-+		  libopensc pkcs11 tools minidriver
-+
-+if ENABLE_TESTS
-+SUBDIRS += tests
-+endif
- 
- if ENABLE_SM
- SUBDIRS += smm
--- 
-2.39.2
-
diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
deleted file mode 100644
index 079f960b59..0000000000
--- a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
-From: fullwaywang <fullwaywang@tencent.com>
-Date: Mon, 29 May 2023 10:38:48 +0800
-Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
- overrun bug. Fixes #2785
-
-Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
-index 9715cf390f..f41f73c349 100644
---- a/src/pkcs15init/pkcs15-cardos.c
-+++ b/src/pkcs15init/pkcs15-cardos.c
-@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- 	sc_apdu_t apdu;
-         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
-         int       r;
--	const u8  *p = rbuf, *q;
-+	const u8  *p = rbuf, *q, *pp;
- 	size_t    len, tlen = 0, ilen = 0;
- 
- 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
-@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- 		return 0;
- 
- 	while (len != 0) {
--		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
--		if (p == NULL)
-+		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-+		if (pp == NULL)
- 			return 0;
- 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
- 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
- 			/* and Package Number 0x07					*/
--			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
-+			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
- 			if (q == NULL || ilen != 4)
- 				return 0;
- 			if (q[0] == 0x07)
-@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
- 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
- 			/* and Package Number 0x02					*/
--			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
-+			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
- 			if (q == NULL || ilen != 4)
- 				return 0;
- 			if (q[0] == 0x02)
diff --git a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch b/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
deleted file mode 100644
index 80c19a3f5f..0000000000
--- a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From e015242590ad9131e124232cc5a2fd02d525ef2c Mon Sep 17 00:00:00 2001
-From: Klemens Nanni <kn@openbsd.org>
-Date: Thu, 29 Jun 2023 02:41:43 +0300
-Subject: [PATCH] LibreSSL does provide EVP_sha3_*() after 3.7.3
-
-Support was added in 16.04.2023.
-
-Compile- and run-tested on OpenBSD/amd64 7.3-current.
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Upstream: https://github.com/OpenSC/OpenSC/commit/e015242590ad9131e124232cc5a2fd02d525ef2c
----
- src/libopensc/sc-ossl-compat.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index df0cebbce2..8012cd4c0f 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -50,10 +50,12 @@ extern "C" {
- #if LIBRESSL_VERSION_NUMBER < 0x30500000L
- #define FIPS_mode()                             (0)
- #endif
-+#ifndef EVP_sha3_224
- #define EVP_sha3_224()                          (NULL)
- #define EVP_sha3_256()                          (NULL)
- #define EVP_sha3_384()                          (NULL)
- #define EVP_sha3_512()                          (NULL)
-+#endif
- #if LIBRESSL_VERSION_NUMBER < 0x3070000fL
- #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL)
- #define EVP_PKEY_get_raw_public_key(p, pu, l)   (0)
diff --git a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch b/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch
deleted file mode 100644
index 3d8aa7e4ef..0000000000
--- a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 33351d91aa22fa8077847ba3f19abb5a00b04600 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner@gmail.com>
-Date: Tue, 15 Aug 2023 17:58:21 +0200
-Subject: [PATCH] fixed detection of SHA3 compatibility
-
-fixes https://github.com/OpenSC/OpenSC/issues/2836
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Upstream: https://github.com/OpenSC/OpenSC/commit/33351d91aa22fa8077847ba3f19abb5a00b04600
----
- src/libopensc/sc-ossl-compat.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index 8012cd4c0f..96ec4bd736 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -50,7 +50,8 @@ extern "C" {
- #if LIBRESSL_VERSION_NUMBER < 0x30500000L
- #define FIPS_mode()                             (0)
- #endif
--#ifndef EVP_sha3_224
-+/* OpenSSL 1.1.1 has EVP_sha3_* */
-+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30800000L
- #define EVP_sha3_224()                          (NULL)
- #define EVP_sha3_256()                          (NULL)
- #define EVP_sha3_384()                          (NULL)
diff --git a/package/opensc/opensc.hash b/package/opensc/opensc.hash
index e8e675667e..232222062c 100644
--- a/package/opensc/opensc.hash
+++ b/package/opensc/opensc.hash
@@ -1,5 +1,5 @@
 # Computed locally from https://https://github.com/OpenSC/OpenSC/releases/
-sha256  a4844a6ea03a522ecf35e49659716dacb6be03f7c010a1a583aaf3eb915ed2e0  opensc-0.23.0.tar.gz
+sha256  24d03c69287291da32a30c4c38a304ad827f56cb85d83619e1f5403ab6480ef8  opensc-0.24.0.tar.gz
 
 # Computed locally
 sha256  376b54d4c5f4aa99421823fa4da93e3ab73096fce2400e89858632aa7da24a14  COPYING
diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
index 823bc50102..49bdcae37a 100644
--- a/package/opensc/opensc.mk
+++ b/package/opensc/opensc.mk
@@ -4,18 +4,13 @@
 #
 ################################################################################
 
-OPENSC_VERSION = 0.23.0
+OPENSC_VERSION = 0.24.0
 OPENSC_SITE = https://github.com/OpenSC/OpenSC/releases/download/$(OPENSC_VERSION)
 OPENSC_LICENSE = LGPL-2.1+
 OPENSC_LICENSE_FILES = COPYING
 OPENSC_CPE_ID_VENDOR = opensc_project
-# 0003-configure-add-option-to-disable-tests.patch
-OPENSC_AUTORECONF = YES
 OPENSC_DEPENDENCIES = openssl pcsc-lite
 OPENSC_INSTALL_STAGING = YES
 OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
 
-# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
-OPENSC_IGNORE_CVES += CVE-2023-2977
-
 $(eval $(autotools-package))
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread