Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian OpenSC Maintainers
<pkg-opensc-ma...@lists.alioth.debian.org>, t...@security.debian.org
* CVE-2019-15945: Out-of-bounds access of an ASN.1 Bitstring.
(Closes: #939668)
* CVE-2019-15946: Out-of-bounds access of an ASN.1 Octet string.
(Closes: #939669)
* CVE-2019-19479: Incorrect read operation in the Setec driver.
(Closes: #947383)
* CVE-2019-20792: Double free in the Coolkey driver.
* CVE-2020-26570: Heap-based buffer overflow in the Oberthur driver.
(Closes: #972037)
* CVE-2020-26571: Stack-based buffer overflow in the GPK driver.
(Closes: #972036)
* CVE-2020-26572: Stack-based buffer overflow in the TCOS driver.
(Closes: #972035)
diff -Nru opensc-0.19.0/debian/changelog opensc-0.19.0/debian/changelog
--- opensc-0.19.0/debian/changelog 2018-09-30 23:26:03.000000000 +0300
+++ opensc-0.19.0/debian/changelog 2022-01-23 19:32:38.000000000 +0200
@@ -1,3 +1,22 @@
+opensc (0.19.0-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-15945: Out-of-bounds access of an ASN.1 Bitstring.
+ (Closes: #939668)
+ * CVE-2019-15946: Out-of-bounds access of an ASN.1 Octet string.
+ (Closes: #939669)
+ * CVE-2019-19479: Incorrect read operation in the Setec driver.
+ (Closes: #947383)
+ * CVE-2019-20792: Double free in the Coolkey driver.
+ * CVE-2020-26570: Heap-based buffer overflow in the Oberthur driver.
+ (Closes: #972037)
+ * CVE-2020-26571: Stack-based buffer overflow in the GPK driver.
+ (Closes: #972036)
+ * CVE-2020-26572: Stack-based buffer overflow in the TCOS driver.
+ (Closes: #972035)
+
+ -- Adrian Bunk <b...@debian.org> Sun, 23 Jan 2022 19:32:38 +0200
+
opensc (0.19.0-1) unstable; urgency=medium
* New upstream release (Closes: 908363, 909444)
diff -Nru
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
---
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
1970-01-01 02:00:00.000000000 +0200
+++
opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,42 @@
+From 0509b2f61ca948312a15d18712a130f7bffd512e Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Tue, 27 Aug 2019 15:17:17 +0200
+Subject: fixed out of bounds access of ASN.1 Bitstring
+
+Credit to OSS-Fuzz
+---
+ src/libopensc/asn1.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index 3262ed80..fd972238 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -570,16 +570,20 @@ static int decode_bit_string(const u8 * inbuf, size_t
inlen, void *outbuf,
+ {
+ const u8 *in = inbuf;
+ u8 *out = (u8 *) outbuf;
+- int zero_bits = *in & 0x07;
+- size_t octets_left = inlen - 1;
+ int i, count = 0;
++ int zero_bits;
++ size_t octets_left;
+
+- memset(outbuf, 0, outlen);
+- in++;
+ if (outlen < octets_left)
+ return SC_ERROR_BUFFER_TOO_SMALL;
+ if (inlen < 1)
+ return SC_ERROR_INVALID_ASN1_OBJECT;
++
++ zero_bits = *in & 0x07;
++ octets_left = inlen - 1;
++ in++;
++ memset(outbuf, 0, outlen);
++
+ while (octets_left) {
+ /* 1st octet of input: ABCDEFGH, where A is the MSB */
+ /* 1st octet of output: HGFEDCBA, where A is the LSB */
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
--- opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,36 @@
+From 28869a7bd4fd928b498638fff27b76b56e58f4d6 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Tue, 27 Aug 2019 15:27:15 +0200
+Subject: fixed compiler warning
+
+---
+ src/libopensc/asn1.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index fd972238..10572292 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -574,15 +574,14 @@ static int decode_bit_string(const u8 * inbuf, size_t
inlen, void *outbuf,
+ int zero_bits;
+ size_t octets_left;
+
+- if (outlen < octets_left)
+- return SC_ERROR_BUFFER_TOO_SMALL;
+ if (inlen < 1)
+ return SC_ERROR_INVALID_ASN1_OBJECT;
+-
++ memset(outbuf, 0, outlen);
+ zero_bits = *in & 0x07;
+- octets_left = inlen - 1;
+ in++;
+- memset(outbuf, 0, outlen);
++ octets_left = inlen - 1;
++ if (outlen < octets_left)
++ return SC_ERROR_BUFFER_TOO_SMALL;
+
+ while (octets_left) {
+ /* 1st octet of input: ABCDEFGH, where A is the MSB */
+--
+2.20.1
+
diff -Nru
opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
---
opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
1970-01-01 02:00:00.000000000 +0200
+++
opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,26 @@
+From 944ecdcc4b9906810d032d97e882ff4f16f116e2 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Tue, 27 Aug 2019 15:21:46 +0200
+Subject: Fixed out of bounds access in ASN.1 Octet string
+
+Credit to OSS-Fuzz
+---
+ src/libopensc/asn1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index 10572292..4bcbdc22 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -1466,7 +1466,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct
sc_asn1_entry *entry,
+
+ /* Strip off padding zero */
+ if ((entry->flags & SC_ASN1_UNSIGNED)
+- && obj[0] == 0x00 && objlen > 1) {
++ && objlen > 1 && obj[0] == 0x00) {
+ objlen--;
+ obj++;
+ }
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch
opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch
--- opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch 1970-01-01
02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch 2022-01-23
19:32:38.000000000 +0200
@@ -0,0 +1,27 @@
+From 6d8036d3f516f54936aeae6d138cd34cb7db7f1f Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Sun, 3 Nov 2019 04:45:28 +0100
+Subject: fixed UNKNOWN READ
+
+Reported by OSS-Fuzz
+https://oss-fuzz.com/testcase-detail/5681169970757632
+---
+ src/libopensc/card-setcos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-setcos.c b/src/libopensc/card-setcos.c
+index f0ed4343..2145a0d2 100644
+--- a/src/libopensc/card-setcos.c
++++ b/src/libopensc/card-setcos.c
+@@ -869,7 +869,7 @@ static void parse_sec_attr_44(sc_file_t *file, const u8
*buf, size_t len)
+ }
+
+ /* Encryption key present ? */
+- iPinCount = iACLen - 1;
++ iPinCount = iACLen > 0 ? iACLen - 1 : 0;
+
+ if (buf[iOffset] & 0x20) {
+ int iSC;
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch
opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch
--- opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch
1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch
2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,34 @@
+From 32dded387736eb8eda43ac9f2ea40013f1e7a197 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Thu, 30 Jul 2020 02:21:17 +0200
+Subject: Heap-buffer-overflow WRITE
+
+fixes https://oss-fuzz.com/testcase-detail/5088104168554496
+---
+ src/libopensc/pkcs15-oberthur.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 3415be7c..e3dd9d7d 100644
+--- a/src/libopensc/pkcs15-oberthur.c
++++ b/src/libopensc/pkcs15-oberthur.c
+@@ -267,10 +267,14 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card,
const char *in_path,
+ }
+ else {
+ int rec;
+- int offs = 0;
+- int rec_len = file->record_length;
++ size_t offs = 0;
++ size_t rec_len = file->record_length;
+
+ for (rec = 1; ; rec++) {
++ if (rec > file->record_count) {
++ rv = 0;
++ break;
++ }
+ rv = sc_read_record(card, rec, *out + offs + 2,
rec_len, SC_RECORD_BY_REC_NR);
+ if (rv == SC_ERROR_RECORD_NOT_FOUND) {
+ rv = 0;
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch
opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch
--- opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch 1970-01-01
02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch 2022-01-23
19:32:38.000000000 +0200
@@ -0,0 +1,47 @@
+From 5aad15a731fcc2918179e092e216aa318b851821 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Mon, 18 May 2020 17:25:32 +0200
+Subject: fixed invalid read
+
+fixes https://oss-fuzz.com/testcase-detail/5765246676631552
+---
+ src/libopensc/pkcs15-gemsafeGPK.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-gemsafeGPK.c
b/src/libopensc/pkcs15-gemsafeGPK.c
+index f51651f4..30d1dfe6 100644
+--- a/src/libopensc/pkcs15-gemsafeGPK.c
++++ b/src/libopensc/pkcs15-gemsafeGPK.c
+@@ -207,7 +207,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t
*p15card)
+
+ u8 sysrec[7];
+ int num_keyinfo = 0;
+- keyinfo kinfo[8]; /* will loook for 8 keys */
++ keyinfo kinfo[9]; /* will look for 9 keys */
+ u8 modulus_buf[ 1 + 1024 / 8]; /* tag+modulus */
+ u8 *cp;
+ char buf[256];
+@@ -257,9 +257,9 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t
*p15card)
+
+ /* There may be more then one key in the directory. */
+ /* we need to find them so we can associate them with the */
+- /* the certificate. The files are 0007 to 000f */
++ /* the certificate. The files are 0007 to 000F */
+
+- for (i = 7; i < 16; i++) {
++ for (i = 0x7; i <= 0xF; i++) {
+ path.value[0] = 0x00;
+ path.value[1] = i;
+ path.len = 2;
+@@ -299,7 +299,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t
*p15card)
+ while (j--)
+ *cp++ = modulus_buf[j + 1];
+ num_keyinfo++;
+- }
++ }
+
+ /* Get the gemsafe data with the cert */
+ sc_format_path("3F000200004", &path);
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch
opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch
--- opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch
1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch
2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,26 @@
+From 6f4f45133db2c8c3f74d188a0286304d120526e9 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorg...@gmail.com>
+Date: Thu, 4 Jun 2020 10:04:10 +0200
+Subject: prevent out of bounds write
+
+fixes https://oss-fuzz.com/testcase-detail/5226571123392512
+---
+ src/libopensc/card-tcos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
+index f880295a..f8f92bc7 100644
+--- a/src/libopensc/card-tcos.c
++++ b/src/libopensc/card-tcos.c
+@@ -628,6 +628,8 @@ static int tcos_decipher(sc_card_t *card, const u8 *
crgram, size_t crgram_len,
+ apdu.data = sbuf;
+ apdu.lc = apdu.datalen = crgram_len+1;
+ sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags &
SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);
++ if (sizeof sbuf - 1 < crgram_len)
++ return SC_ERROR_INVALID_ARGUMENTS;
+ memcpy(sbuf+1, crgram, crgram_len);
+
+ r = sc_transmit_apdu(card, &apdu);
+--
+2.20.1
+
diff -Nru
opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch
opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch
---
opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch
1970-01-01 02:00:00.000000000 +0200
+++
opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch
2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,31 @@
+From b13c11ee1838a1d68962b9c5a92c3c06fc02fa40 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jje...@redhat.com>
+Date: Wed, 4 Dec 2019 15:54:43 +0100
+Subject: coolkey: Make sure the object ID is unique when filling list
+
+Thanks to oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208
+---
+ src/libopensc/card-coolkey.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index b97559cc..e5fd3795 100644
+--- a/src/libopensc/card-coolkey.c
++++ b/src/libopensc/card-coolkey.c
+@@ -1956,6 +1956,11 @@ coolkey_add_object(coolkey_private_data_t *priv,
unsigned long object_id, const
+ new_object.id = object_id;
+ new_object.length = object_length;
+
++ /* The object ID needs to be unique */
++ if (coolkey_find_object_by_id(&priv->objects_list, object_id) != NULL) {
++ return SC_ERROR_INTERNAL;
++ }
++
+ if (object_data) {
+ new_object.data = malloc(object_length + add_v1_record);
+ if (new_object.data == NULL) {
+--
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/series
opensc-0.19.0/debian/patches/series
--- opensc-0.19.0/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/series 2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,8 @@
+0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
+0002-fixed-compiler-warning.patch
+0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
+0004-fixed-UNKNOWN-READ.patch
+0005-Heap-buffer-overflow-WRITE.patch
+0006-fixed-invalid-read.patch
+0007-prevent-out-of-bounds-write.patch
+0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch
