Fix for CVE-2023-4535
Resolves: RHEL-16449
This commit is contained in:
Jakub Jelen
parent
156d0d7c18
commit
da38a025cf
99
opensc-0.23.0-myeid-sym.patch
Normal file
99
opensc-0.23.0-myeid-sym.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From cde2e050ec4f2f1b7db38429aa4e9c0f4656308c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Popovec <popovec.peter@gmail.com>
|
||||||
|
Date: Wed, 26 Apr 2023 13:22:09 +0200
|
||||||
|
Subject: [PATCH] NULL pointer fix
|
||||||
|
|
||||||
|
Thanks to the clang analyzer:
|
||||||
|
Null pointer passed to 2nd parameter expecting 'nonnull'
|
||||||
|
[clang-analyzer-core.NonNullParamChecker]
|
||||||
|
|
||||||
|
modified: src/libopensc/card-myeid.c
|
||||||
|
---
|
||||||
|
src/libopensc/card-myeid.c | 15 ++++++++++-----
|
||||||
|
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
|
||||||
|
index 31dd209f3..951c179f1 100644
|
||||||
|
--- a/src/libopensc/card-myeid.c
|
||||||
|
+++ b/src/libopensc/card-myeid.c
|
||||||
|
@@ -1973,6 +1973,9 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
|
||||||
|
return_len = block_size - pad_byte;
|
||||||
|
}
|
||||||
|
*outlen = return_len;
|
||||||
|
+ /* application can request buffer size or actual buffer size is too small */
|
||||||
|
+ if (out == NULL)
|
||||||
|
+ LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
||||||
|
if (return_len > *outlen)
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
|
||||||
|
memcpy(out, priv->sym_plain_buffer, return_len);
|
||||||
|
@@ -2042,10 +2045,11 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
|
||||||
|
priv->sym_crypt_buffer_len = 0;
|
||||||
|
rest_len = 0;
|
||||||
|
}
|
||||||
|
- memcpy(sdata, data, apdu_datalen);
|
||||||
|
- data += apdu_datalen;
|
||||||
|
- datalen -= apdu_datalen;
|
||||||
|
-
|
||||||
|
+ if (data) {
|
||||||
|
+ memcpy(sdata, data, apdu_datalen);
|
||||||
|
+ data += apdu_datalen;
|
||||||
|
+ datalen -= apdu_datalen;
|
||||||
|
+ }
|
||||||
|
r = sc_transmit_apdu(card, &apdu);
|
||||||
|
LOG_TEST_RET(ctx, r, "APDU transmit failed");
|
||||||
|
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
||||||
|
@@ -2084,7 +2088,8 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
|
||||||
|
/* save rest of data for next run */
|
||||||
|
priv->sym_crypt_buffer_len = datalen;
|
||||||
|
sc_log(ctx, "rest data len = %zu", datalen);
|
||||||
|
- memcpy(priv->sym_crypt_buffer, data, datalen);
|
||||||
|
+ if (data)
|
||||||
|
+ memcpy(priv->sym_crypt_buffer, data, datalen);
|
||||||
|
sc_log(ctx, "return data len = %zu", return_len);
|
||||||
|
*outlen = return_len;
|
||||||
|
return SC_SUCCESS;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
|
From f1993dc4e0b33050b8f72a3558ee88b24c4063b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Popovec <popovec.peter@gmail.com>
|
||||||
|
Date: Tue, 27 Jun 2023 09:50:42 +0200
|
||||||
|
Subject: [PATCH] myeid: fixed CID 380538 Out-of-bounds read (OVERRUN)
|
||||||
|
|
||||||
|
also fixes output buffer size checking
|
||||||
|
---
|
||||||
|
src/libopensc/card-myeid.c | 10 ++++++----
|
||||||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c
|
||||||
|
index 4ee424684..50e78ff1d 100644
|
||||||
|
--- a/src/libopensc/card-myeid.c
|
||||||
|
+++ b/src/libopensc/card-myeid.c
|
||||||
|
@@ -1986,18 +1986,20 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
|
||||||
|
sc_log(ctx, "Found padding byte %02x", pad_byte);
|
||||||
|
if (pad_byte == 0 || pad_byte > block_size)
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
|
||||||
|
- sdata = priv->sym_plain_buffer + block_size - pad_byte;
|
||||||
|
+ sdata = priv->sym_plain_buffer + block_size;
|
||||||
|
for (i = 0; i < pad_byte; i++)
|
||||||
|
- if (sdata[i] != pad_byte)
|
||||||
|
+ if (*(--sdata) != pad_byte)
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
|
||||||
|
return_len = block_size - pad_byte;
|
||||||
|
}
|
||||||
|
- *outlen = return_len;
|
||||||
|
/* application can request buffer size or actual buffer size is too small */
|
||||||
|
- if (out == NULL)
|
||||||
|
+ if (out == NULL) {
|
||||||
|
+ *outlen = return_len;
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
||||||
|
+ }
|
||||||
|
if (return_len > *outlen)
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
|
||||||
|
+ *outlen = return_len;
|
||||||
|
memcpy(out, priv->sym_plain_buffer, return_len);
|
||||||
|
sc_log(ctx, "C_DecryptFinal %zu bytes", *outlen);
|
||||||
|
return SC_SUCCESS;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
||||||
@ -50,6 +50,9 @@ Patch14: %{name}-0.23.0-pin-bypass.patch
|
|||||||
# https://github.com/OpenSC/OpenSC/commit/5f6370a35f151497838628f78111087eb8e7ff1
|
# https://github.com/OpenSC/OpenSC/commit/5f6370a35f151497838628f78111087eb8e7ff1
|
||||||
# https://github.com/OpenSC/OpenSC/commit/fbff25ec6c6d0ad3f8df76f57210698f7947fc3
|
# https://github.com/OpenSC/OpenSC/commit/fbff25ec6c6d0ad3f8df76f57210698f7947fc3
|
||||||
Patch15: %{name}-0.23.0-pkcs15init.patch
|
Patch15: %{name}-0.23.0-pkcs15init.patch
|
||||||
|
# https://github.com/OpenSC/OpenSC/commit/cde2e050ec4f2f1b7db38429aa4e9c0f4656308c
|
||||||
|
# https://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2
|
||||||
|
Patch16: %{name}-0.23.0-myeid-sym.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: pcsc-lite-devel
|
BuildRequires: pcsc-lite-devel
|
||||||
@ -96,6 +99,7 @@ every software/card that does so, too.
|
|||||||
%patch13 -p1 -b .cache-offsets
|
%patch13 -p1 -b .cache-offsets
|
||||||
%patch14 -p1 -b .pin-bypass
|
%patch14 -p1 -b .pin-bypass
|
||||||
%patch15 -p1 -b .pkcs15init
|
%patch15 -p1 -b .pkcs15init
|
||||||
|
%patch16 -p1 -b .myeid-sym
|
||||||
|
|
||||||
cp -p src/pkcs15init/README ./README.pkcs15init
|
cp -p src/pkcs15init/README ./README.pkcs15init
|
||||||
cp -p src/scconf/README.scconf .
|
cp -p src/scconf/README.scconf .
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user