Package: release.debian.org
Control: affects -1 + src:opensc
X-Debbugs-Cc: ope...@packages.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package opensc.
[ Reason ]
Fixes CVE-2023-2977.
[ Risks ]
None.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock opensc/0.23.0-0.3
diff -Nru opensc-0.23.0/debian/changelog opensc-0.23.0/debian/changelog
--- opensc-0.23.0/debian/changelog 2023-02-13 17:13:20.000000000 +0100
+++ opensc-0.23.0/debian/changelog 2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,10 @@
+opensc (0.23.0-0.3) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2023-2977 with upstream patch.
+
+ -- Bastian Germann <b...@debian.org> Thu, 01 Jun 2023 22:30:18 +0200
+
opensc (0.23.0-0.2) unstable; urgency=medium
* Non-maintainer upload
diff -Nru
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
---
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
1970-01-01 01:00:00.000000000 +0100
+++
opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
2023-06-01 22:30:18.000000000 +0200
@@ -0,0 +1,57 @@
+Origin:
https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+From: fullwaywang <fullwayw...@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: pkcs15init: correct left length calculation to fix buffer overrun bug.
+ Fixes #2785
+
+From https://github.com/OpenSC/OpenSC/issues/2785:
+The newly found issue exists in pkcs15-init module. Like the original bug in
libopensc,
+cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2
tags.
+The pointer p is moved after each sc_asn1_find_tag invocation,
+which results in the miscalculation of the length of left bytes in buffer
+and hence reading beyond the end of the buffer.
+
+CVE-2023-2977 was assigned for this issue.
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ sc_apdu_t apdu;
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
+ int r;
+- const u8 *p = rbuf, *q;
++ const u8 *p = rbuf, *q, *pp;
+ size_t len, tlen = 0, ilen = 0;
+
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ return 0;
+
+ while (len != 0) {
+- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+- if (p == NULL)
++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++ if (pp == NULL)
+ return 0;
+ if (card->type == SC_CARD_TYPE_CARDOS_M4_3) {
+ /* the verifyRC package on CardOS 4.3B use Manufacturer
ID 0x01 */
+ /* and Package Number 0x07
*/
+- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ if (q == NULL || ilen != 4)
+ return 0;
+ if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) {
+ /* the verifyRC package on CardOS 4.4 use Manufacturer
ID 0x03 */
+ /* and Package Number 0x02
*/
+- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ if (q == NULL || ilen != 4)
+ return 0;
+ if (q[0] == 0x02)
diff -Nru opensc-0.23.0/debian/patches/series
opensc-0.23.0/debian/patches/series
--- opensc-0.23.0/debian/patches/series 2023-02-13 17:13:04.000000000 +0100
+++ opensc-0.23.0/debian/patches/series 2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,4 @@
0001-Use-sysconfdir-opensc-for-opensc.conf.patch
0002-Fix-private-key-import.patch
0003-Log-OpenSSL-errors.patch
+0004-pkcs15init-correct-left-length-calculation.patch
