From 11e1462e9e7455e7b04a477cfd9f2ef1c314c8c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= Date: Thu, 14 Dec 2023 10:47:42 +0100 Subject: [PATCH] opensc-0.24.0-1 --- .gitignore | 1 + opensc-0.19.0-pinpad.patch | 13 +- opensc-0.23.0-cardos-buffer-overrun.patch | 49 ----- opensc-0.23.0-pkcs11-tool-import.patch | 212 ---------------------- opensc.spec | 13 +- sources | 2 +- 6 files changed, 13 insertions(+), 277 deletions(-) delete mode 100644 opensc-0.23.0-cardos-buffer-overrun.patch delete mode 100644 opensc-0.23.0-pkcs11-tool-import.patch diff --git a/.gitignore b/.gitignore index 93c4e90..b1943a4 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /opensc-0.21.0.tar.gz /opensc-0.22.0.tar.gz /opensc-0.23.0.tar.gz +/opensc-0.24.0.tar.gz diff --git a/opensc-0.19.0-pinpad.patch b/opensc-0.19.0-pinpad.patch index 7a4ed3a..7bb0060 100644 --- a/opensc-0.19.0-pinpad.patch +++ b/opensc-0.19.0-pinpad.patch @@ -1,10 +1,9 @@ -diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf ---- opensc-0.19.0/etc/opensc.conf.pinpad 2018-10-22 14:31:12.082963540 +0200 -+++ opensc-0.19.0/etc/opensc.conf 2018-10-22 14:33:59.939410701 +0200 -@@ -4,4 +4,9 @@ app default { - framework pkcs15 { - # use_file_caching = public; - } +--- opensc-0.24.0/etc/opensc.conf 2023-12-13 10:44:39.000000000 +0100 ++++ opensc-0.24.0/etc/opensc.conf.pinpad 2023-12-14 13:31:40.723607168 +0100 +@@ -1,4 +1,9 @@ + app default { + # debug = 3; + # debug_file = opensc-debug.txt; + reader_driver pcsc { + # The pinpad is disabled by default, + # because of many broken readers out there diff --git a/opensc-0.23.0-cardos-buffer-overrun.patch b/opensc-0.23.0-cardos-buffer-overrun.patch deleted file mode 100644 index 3226107..0000000 --- a/opensc-0.23.0-cardos-buffer-overrun.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 3bf3ab2f9091f984cda6dd910654ccbbe3f06a40 Mon Sep 17 00:00:00 2001 -From: fullwaywang -Date: Mon, 29 May 2023 10:38:48 +0800 -Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer - overrun bug. Fixes #2785 - ---- - src/pkcs15init/pkcs15-cardos.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c -index 9715cf390f..f41f73c349 100644 ---- a/src/pkcs15init/pkcs15-cardos.c -+++ b/src/pkcs15init/pkcs15-cardos.c -@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) - sc_apdu_t apdu; - u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; - int r; -- const u8 *p = rbuf, *q; -+ const u8 *p = rbuf, *q, *pp; - size_t len, tlen = 0, ilen = 0; - - sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); -@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) - return 0; - - while (len != 0) { -- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); -- if (p == NULL) -+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); -+ if (pp == NULL) - return 0; - if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { - /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ - /* and Package Number 0x07 */ -- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); -+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); - if (q == NULL || ilen != 4) - return 0; - if (q[0] == 0x07) -@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) - } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { - /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ - /* and Package Number 0x02 */ -- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); -+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); - if (q == NULL || ilen != 4) - return 0; - if (q[0] == 0x02) diff --git a/opensc-0.23.0-pkcs11-tool-import.patch b/opensc-0.23.0-pkcs11-tool-import.patch deleted file mode 100644 index 2905005..0000000 --- a/opensc-0.23.0-pkcs11-tool-import.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Thu, 1 Dec 2022 20:08:53 +0100 -Subject: [PATCH 1/4] pkcs11-tool: Fix private key import - ---- - src/tools/pkcs11-tool.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c -index aae205fe2c..cfee8526d5 100644 ---- a/src/tools/pkcs11-tool.c -+++ b/src/tools/pkcs11-tool.c -@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) - RSA_get0_factors(r, &r_p, &r_q); - RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); - #else -- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 || -+ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || -- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { - util_fatal("OpenSSL error during RSA private key parsing"); -+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { - } - #endif - RSA_GET_BN(rsa, private_exponent, r_d); - -From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Thu, 1 Dec 2022 20:11:41 +0100 -Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors - ---- - src/tools/pkcs11-tool.c | 15 ++++++--------- - 1 file changed, 6 insertions(+), 9 deletions(-) - -diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c -index cfee8526d5..f2e6b1dd91 100644 ---- a/src/tools/pkcs11-tool.c -+++ b/src/tools/pkcs11-tool.c -@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) - const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp; - r = EVP_PKEY_get1_RSA(pkey); - if (!r) { -- if (private) -- util_fatal("OpenSSL error during RSA private key parsing"); -- else -- util_fatal("OpenSSL error during RSA public key parsing"); -+ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", -+ ERR_error_string(ERR_peek_last_error(), NULL)); - } - - RSA_get0_key(r, &r_n, &r_e, NULL); -@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) - BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL; - if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) { -- if (private) -- util_fatal("OpenSSL error during RSA private key parsing"); -- else -- util_fatal("OpenSSL error during RSA public key parsing"); -+ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", -+ ERR_error_string(ERR_peek_last_error(), NULL)); - } - #endif - RSA_GET_BN(rsa, modulus, r_n); -@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || -- util_fatal("OpenSSL error during RSA private key parsing"); - EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { -+ util_fatal("OpenSSL error during RSA private key parsing: %s", -+ ERR_error_string(ERR_peek_last_error(), NULL)); - } - #endif - RSA_GET_BN(rsa, private_exponent, r_d); - -From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Thu, 1 Dec 2022 20:38:31 +0100 -Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import - ---- - tests/Makefile.am | 10 ++++--- - tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++ - 2 files changed, 54 insertions(+), 4 deletions(-) - create mode 100755 tests/test-pkcs11-tool-import.sh - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index d378e2ee00..9d8a24c321 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \ - test-pkcs11-tool-test-threads.sh \ - test-pkcs11-tool-sign-verify.sh \ - test-pkcs11-tool-allowed-mechanisms.sh \ -- test-pkcs11-tool-sym-crypt-test.sh\ -- test-pkcs11-tool-unwrap-wrap-test.sh -+ test-pkcs11-tool-sym-crypt-test.sh \ -+ test-pkcs11-tool-unwrap-wrap-test.sh \ -+ test-pkcs11-tool-import.sh - - .NOTPARALLEL: - TESTS = \ -@@ -25,8 +26,9 @@ TESTS = \ - test-pkcs11-tool-test.sh \ - test-pkcs11-tool-test-threads.sh \ - test-pkcs11-tool-allowed-mechanisms.sh \ -- test-pkcs11-tool-sym-crypt-test.sh\ -- test-pkcs11-tool-unwrap-wrap-test.sh -+ test-pkcs11-tool-sym-crypt-test.sh \ -+ test-pkcs11-tool-unwrap-wrap-test.sh \ -+ test-pkcs11-tool-import.sh - XFAIL_TESTS = \ - test-pkcs11-tool-test-threads.sh \ - test-pkcs11-tool-test.sh -diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh -new file mode 100755 -index 0000000000..76ff8e51be ---- /dev/null -+++ b/tests/test-pkcs11-tool-import.sh -@@ -0,0 +1,48 @@ -+#!/bin/bash -+SOURCE_PATH=${SOURCE_PATH:-..} -+ -+source $SOURCE_PATH/tests/common.sh -+ -+echo "=======================================================" -+echo "Setup SoftHSM" -+echo "=======================================================" -+if [[ ! -f $P11LIB ]]; then -+ echo "WARNING: The SoftHSM is not installed. Can not run this test" -+ exit 77; -+fi -+card_setup -+ -+ID="0100" -+OPTS="" -+for KEYTYPE in "RSA" "EC"; do -+ echo "=======================================================" -+ echo "Generate and import $KEYTYPE keys" -+ echo "=======================================================" -+ if [ "$KEYTYPE" == "RSA" ]; then -+ ID="0100" -+ elif [ "$KEYTYPE" == "EC" ]; then -+ ID="0200" -+ OPTS="-pkeyopt ec_paramgen_curve:P-521" -+ fi -+ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS -+ assert $? "Failed to generate private $KEYTYPE key" -+ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \ -+ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB" -+ assert $? "Failed to write private $KEYTYPE key" -+ -+ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER -+ assert $? "Failed to convert private $KEYTYPE key to public" -+ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \ -+ -p $PIN --module $P11LIB -+ assert $? "Failed to write public $KEYTYPE key" -+ # certificate import already tested in all other tests -+ -+ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der" -+done -+ -+echo "=======================================================" -+echo "Cleanup" -+echo "=======================================================" -+card_cleanup -+ -+exit $ERRORS - -From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Fri, 2 Dec 2022 18:07:43 +0100 -Subject: [PATCH 4/4] Simplify the new test -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com> ---- - tests/test-pkcs11-tool-import.sh | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh -index 76ff8e51be..c90b3b4926 100755 ---- a/tests/test-pkcs11-tool-import.sh -+++ b/tests/test-pkcs11-tool-import.sh -@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then - fi - card_setup - --ID="0100" --OPTS="" - for KEYTYPE in "RSA" "EC"; do - echo "=======================================================" - echo "Generate and import $KEYTYPE keys" - echo "=======================================================" -- if [ "$KEYTYPE" == "RSA" ]; then -- ID="0100" -- elif [ "$KEYTYPE" == "EC" ]; then -+ ID="0100" -+ OPTS="" -+ if [ "$KEYTYPE" == "EC" ]; then - ID="0200" - OPTS="-pkeyopt ec_paramgen_curve:P-521" - fi - diff --git a/opensc.spec b/opensc.spec index e53a100..faf2a98 100644 --- a/opensc.spec +++ b/opensc.spec @@ -1,6 +1,6 @@ Name: opensc -Version: 0.23.0 -Release: 5%{?dist} +Version: 0.24.0 +Release: 1%{?dist} Summary: Smart card library and applications License: LGPL-2.1-or-later AND BSD 3-Clause @@ -10,10 +10,6 @@ Source1: opensc.module Patch1: opensc-0.19.0-pinpad.patch # File caching by default (#2000626) Patch8: %{name}-0.22.0-file-cache.patch -# https://github.com/OpenSC/OpenSC/pull/2656 -Patch9: %{name}-0.23.0-pkcs11-tool-import.patch -# https://github.com/OpenSC/OpenSC/pull/2787 -Patch10: %{name}-0.23.0-cardos-buffer-overrun.patch BuildRequires: make BuildRequires: pcsc-lite-devel @@ -53,8 +49,6 @@ every software/card that does so, too. %setup -q %patch1 -p1 -b .pinpad %patch8 -p1 -b .file-cache -%patch9 -p1 -b .pkcs11-tool-import -%patch10 -p1 -b .cardos-buffer-overrun # The test-pkcs11-tool-allowed-mechanisms already works in Fedora sed -i -e '/XFAIL_TESTS/,$ { @@ -203,6 +197,9 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1* %changelog +* Thu Dec 14 2023 Veronika Hanulikova - 0.24.0-1 +- New upstream release (#2240701) + * Tue Aug 08 2023 Veronika Hanulikova - 0.23.0-5 - Fix buffer overrun vulnerability (#2211088), fixes CVE-2023-2977 diff --git a/sources b/sources index 0cc1eb8..49a9e7d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opensc-0.23.0.tar.gz) = cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b +SHA512 (opensc-0.24.0.tar.gz) = 0fd2ea858874ae0b85c8fe8c4b920988693a47ca95b26449a1e95f86e17b76000f236c1f75d63ee133306e01a965155da5e14c1b8a59053b85026ecb58fb97bb