- fix buffer overflow on rogue card serial numbers

2010-12-21 21:30:04 +01:00 · 2010-12-21 21:30:04 +01:00 · d65ffb9ccd
commit d65ffb9ccd
parent 6a20aba13f
2 changed files with 82 additions and 1 deletions
--- a/opensc-0.11.13-serial-overflow.patch
+++ b/opensc-0.11.13-serial-overflow.patch
@ -0,0 +1,71 @@
+Index: /trunk/src/libopensc/muscle.c
+===================================================================
+--- /trunk/src/libopensc/muscle.c	(revision 4350)
+++ /trunk/src/libopensc/muscle.c	(revision 4912)
+@@ -31,11 +31,4 @@
+ #define MSC_DSA_PUBLIC		0x04
+ #define MSC_DSA_PRIVATE 	0x05
+-
+-#ifndef MAX
+-#define MAX(x, y) (((x) > (y)) ? (x) : (y))
+-#endif
+-#ifndef MIN
+-#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+-#endif
+ 
+ static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } };
+Index: /trunk/src/libopensc/internal.h
+===================================================================
+--- /trunk/src/libopensc/internal.h	(revision 4902)
+++ /trunk/src/libopensc/internal.h	(revision 4912)
+@@ -48,4 +48,11 @@
+ #define msleep(t)	Sleep(t)
+ #define sleep(t)	Sleep((t) * 1000)
+#endif
+
+#ifndef MAX
+#define MAX(x, y) (((x) > (y)) ? (x) : (y))
+#endif
+#ifndef MIN
+#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+ #endif
+ 
+Index: /trunk/src/libopensc/card-atrust-acos.c
+===================================================================
+--- /trunk/src/libopensc/card-atrust-acos.c	(revision 4706)
+++ /trunk/src/libopensc/card-atrust-acos.c	(revision 4913)
+@@ -843,6 +843,6 @@
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
+	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
+	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+Index: /trunk/src/libopensc/card-starcos.c
+===================================================================
+--- /trunk/src/libopensc/card-starcos.c	(revision 4706)
+++ /trunk/src/libopensc/card-starcos.c	(revision 4913)
+@@ -1280,6 +1280,6 @@
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
+	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
+	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+Index: /trunk/src/libopensc/card-acos5.c
+===================================================================
+--- /trunk/src/libopensc/card-acos5.c	(revision 4118)
+++ /trunk/src/libopensc/card-acos5.c	(revision 4913)
+@@ -139,6 +139,6 @@
+ 	 * Cache serial number.
+ 	 */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
+	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
+	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ 
+ 	/*
--- a/opensc.spec
+++ b/opensc.spec
@ -2,7 +2,7 @@

 Name:           opensc
 Version:        0.11.13
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Smart card library and applications

 Group:          System Environment/Libraries
@ -13,11 +13,14 @@ Patch1:         %{name}-0.11.7-develconfig.patch
 Patch2:         %{name}-0.11.12-no-add-needed.patch
 Patch3:         opensc-0.11.13-libassuan1.patch
 Patch4:         opensc-0.11.13-build-readerstate.patch
+Patch5:         opensc-0.11.13-serial-overflow.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
+%if 0%{?fedora} || 0%{?rhel} > 5
 BuildRequires:  openct-devel
+%endif
 BuildRequires:  openssl-devel
 BuildRequires:  libtool-ltdl-devel
 BuildRequires:  libtool
@ -62,6 +65,8 @@ OpenSC development files.
 %setup -q
 %patch1 -p1 -b .config
 %patch2 -p1 -b .no-add-needed
+%patch5 -p2 -b .overflow
+
 sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@ -81,7 +86,9 @@ rm -f m4/libassuan.m4
 %configure  --disable-static \
  --enable-nsplugin \
  --enable-pcsc \
+%if 0%{?fedora} || 0%{?rhel} > 5
  --enable-openct \
+%endif
  --enable-doc \
  --with-pcsc-provider=libpcsclite.so.1 \
  --with-plugindir=%{plugindir} \
@ -171,6 +178,9 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Tue Dec 21 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-6
+- fix buffer overflow on rogue card serial numbers
+
 * Tue Oct 19 2010 Tomas Mraz <tmraz@redhat.com> - 0.11.13-5
 - own the _libdir/pkcs11 subdirectory (#644527)