diff options
-rw-r--r-- | CVE-2020-26570.patch | 33 | ||||
-rw-r--r-- | community/opensc/APKBUILD | 14 | ||||
-rw-r--r-- | community/opensc/CVE-2020-26570.patch | 33 | ||||
-rw-r--r-- | community/opensc/CVE-2020-26571.patch | 44 | ||||
-rw-r--r-- | community/opensc/CVE-2020-26572.patch | 23 |
5 files changed, 145 insertions, 2 deletions
diff --git a/CVE-2020-26570.patch b/CVE-2020-26570.patch new file mode 100644 index 00000000000..c345cab3a28 --- /dev/null +++ b/CVE-2020-26570.patch @@ -0,0 +1,33 @@ +From 6903aebfddc466d966c7b865fae34572bf3ed23e Mon Sep 17 00:00:00 2001 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Thu, 30 Jul 2020 02:21:17 +0200 +Subject: [PATCH] Heap-buffer-overflow WRITE + +fixes https://oss-fuzz.com/testcase-detail/5088104168554496 +--- + src/libopensc/pkcs15-oberthur.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index a873aaa0dd..2fb32b8dba 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path, + rv = sc_read_binary(card, 0, *out, sz, 0); + } + else { +- int rec; +- int offs = 0; +- int rec_len = file->record_length; ++ size_t rec; ++ size_t offs = 0; ++ size_t rec_len = file->record_length; + + for (rec = 1; ; rec++) { ++ if (rec > file->record_count) { ++ rv = 0; ++ break; ++ } + rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR); + if (rv == SC_ERROR_RECORD_NOT_FOUND) { + rv = 0; diff --git a/community/opensc/APKBUILD b/community/opensc/APKBUILD index b89b13fbcb5..01594c96ff6 100644 --- a/community/opensc/APKBUILD +++ b/community/opensc/APKBUILD @@ -3,7 +3,7 @@ pkgname=opensc _realname=OpenSC pkgver=0.20.0 -pkgrel=1 +pkgrel=2 pkgdesc="Open source smart card tools and middleware" url="https://github.com/OpenSC/OpenSC" arch="all" @@ -13,11 +13,18 @@ depends_dev="zlib-dev pcsc-lite-dev openssl-dev readline-dev" makedepends="$depends_dev automake autoconf m4 gettext libtool" subpackages="$pkgname-dev $pkgname-doc $pkgname-bash-completion:bashcomp:noarch" source="$_realname-$pkgver.tar.gz::https://github.com/OpenSC/OpenSC/archive/$pkgver.tar.gz + CVE-2020-26570.patch + CVE-2020-26571.patch + CVE-2020-26572.patch " builddir="$srcdir/$_realname-$pkgver" # secfixes: +# 0.20.0-r2: +# - CVE-2020-26570 +# - CVE-2020-26571 +# - CVE-2020-26572 # 0.20.0-r0: # - CVE-2019-6502 # - CVE-2019-15945 @@ -79,4 +86,7 @@ bashcomp() { amove usr/share/bash-completion/completions } -sha512sums="1360ee35f579cbeecf368777bb60d6c23ec2a80a2983328ea2c193530cc9b101a807ff1e2982ad34bfcc2bae2c867feecf300b6229d15057e796bd31ecffb02d OpenSC-0.20.0.tar.gz" +sha512sums="1360ee35f579cbeecf368777bb60d6c23ec2a80a2983328ea2c193530cc9b101a807ff1e2982ad34bfcc2bae2c867feecf300b6229d15057e796bd31ecffb02d OpenSC-0.20.0.tar.gz +e5d3aa047459986bbdefcb436ada8079345fa5f5d4498062f8cd1c1af9c769b56e7b1a79f792aa85e767b21d802815ec52fff5093540ac928da203c634b01996 CVE-2020-26570.patch +aa822cddb8526d4ed9a124f5b5854688e82f1101c8a2ac05b33784f43f0c79fdc0f0772bc89ced066bfe700ad674209e0cec9707e9af326c028b8021d321ea1b CVE-2020-26571.patch +0e71e69396123578def598cdb9f359000e15bf4d9cfeca0df50808d31bbeee8ecd458333fb8734a7569112c5559ca2d4bdb740cef9360a8bcba3be3650bd32bf CVE-2020-26572.patch" diff --git a/community/opensc/CVE-2020-26570.patch b/community/opensc/CVE-2020-26570.patch new file mode 100644 index 00000000000..c345cab3a28 --- /dev/null +++ b/community/opensc/CVE-2020-26570.patch @@ -0,0 +1,33 @@ +From 6903aebfddc466d966c7b865fae34572bf3ed23e Mon Sep 17 00:00:00 2001 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Thu, 30 Jul 2020 02:21:17 +0200 +Subject: [PATCH] Heap-buffer-overflow WRITE + +fixes https://oss-fuzz.com/testcase-detail/5088104168554496 +--- + src/libopensc/pkcs15-oberthur.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index a873aaa0dd..2fb32b8dba 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path, + rv = sc_read_binary(card, 0, *out, sz, 0); + } + else { +- int rec; +- int offs = 0; +- int rec_len = file->record_length; ++ size_t rec; ++ size_t offs = 0; ++ size_t rec_len = file->record_length; + + for (rec = 1; ; rec++) { ++ if (rec > file->record_count) { ++ rv = 0; ++ break; ++ } + rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR); + if (rv == SC_ERROR_RECORD_NOT_FOUND) { + rv = 0; diff --git a/community/opensc/CVE-2020-26571.patch b/community/opensc/CVE-2020-26571.patch new file mode 100644 index 00000000000..ef597435aac --- /dev/null +++ b/community/opensc/CVE-2020-26571.patch @@ -0,0 +1,44 @@ +From ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 Mon Sep 17 00:00:00 2001 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Mon, 18 May 2020 17:25:32 +0200 +Subject: [PATCH] fixed invalid read + +fixes https://oss-fuzz.com/testcase-detail/5765246676631552 +--- + src/libopensc/pkcs15-gemsafeGPK.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libopensc/pkcs15-gemsafeGPK.c b/src/libopensc/pkcs15-gemsafeGPK.c +index e13f3b8798..4b80daf2a1 100644 +--- a/src/libopensc/pkcs15-gemsafeGPK.c ++++ b/src/libopensc/pkcs15-gemsafeGPK.c +@@ -205,7 +205,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card) + + u8 sysrec[7]; + int num_keyinfo = 0; +- keyinfo kinfo[8]; /* will loook for 8 keys */ ++ keyinfo kinfo[9]; /* will look for 9 keys */ + u8 modulus_buf[ 1 + 1024 / 8]; /* tag+modulus */ + u8 *cp; + char buf[256]; +@@ -255,9 +255,9 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card) + + /* There may be more then one key in the directory. */ + /* we need to find them so we can associate them with the */ +- /* the certificate. The files are 0007 to 000f */ ++ /* the certificate. The files are 0007 to 000F */ + +- for (i = 7; i < 16; i++) { ++ for (i = 0x7; i <= 0xF; i++) { + path.value[0] = 0x00; + path.value[1] = i; + path.len = 2; +@@ -297,7 +297,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card) + while (j--) + *cp++ = modulus_buf[j + 1]; + num_keyinfo++; +- } ++ } + + /* Get the gemsafe data with the cert */ + sc_format_path("3F000200004", &path); diff --git a/community/opensc/CVE-2020-26572.patch b/community/opensc/CVE-2020-26572.patch new file mode 100644 index 00000000000..0c73a1f23a5 --- /dev/null +++ b/community/opensc/CVE-2020-26572.patch @@ -0,0 +1,23 @@ +From 9d294de90d1cc66956389856e60b6944b27b4817 Mon Sep 17 00:00:00 2001 +From: Frank Morgner <frankmorgner@gmail.com> +Date: Thu, 4 Jun 2020 10:04:10 +0200 +Subject: [PATCH] prevent out of bounds write + +fixes https://oss-fuzz.com/testcase-detail/5226571123392512 +--- + src/libopensc/card-tcos.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c +index 673c2493dd..e88c80bd79 100644 +--- a/src/libopensc/card-tcos.c ++++ b/src/libopensc/card-tcos.c +@@ -623,6 +623,8 @@ static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len, + apdu.data = sbuf; + apdu.lc = apdu.datalen = crgram_len+1; + sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02); ++ if (sizeof sbuf - 1 < crgram_len) ++ return SC_ERROR_INVALID_ARGUMENTS; + memcpy(sbuf+1, crgram, crgram_len); + + r = sc_transmit_apdu(card, &apdu); |