Bug#856721: unblock: libcacard/1:2.5.0-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libcacard
It includes a security fix - #856501, CVE-2017-6414,
and another bugfix pulled from upstream.
unblock libcacard/1:2.5.0-3
diff -Nru libcacard-2.5.0/debian/changelog libcacard-2.5.0/debian/changelog
--- libcacard-2.5.0/debian/changelog 2015-11-07 13:03:01.000000000 +0300
+++ libcacard-2.5.0/debian/changelog 2017-03-04 11:57:45.000000000 +0300
@@ -1,3 +1,11 @@
+libcacard (1:2.5.0-3) unstable; urgency=high
+
+ * smartcard-fix-memory-leak-in-vcard_apdu_new-CVE-2017-6414.patch
+ Closes: #856501, CVE-2017-6414
+ * dont-fail-if-caller-didn-t-pick-previous-response.patch
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Sat, 04 Mar 2017 11:57:23 +0300
+
libcacard (1:2.5.0-2) unstable; urgency=medium
* add remove-requires.private.patch to remove Requires.private
diff -Nru libcacard-2.5.0/debian/patches/dont-fail-if-caller-didn-t-pick-previous-response.patch libcacard-2.5.0/debian/patches/dont-fail-if-caller-didn-t-pick-previous-response.patch
--- libcacard-2.5.0/debian/patches/dont-fail-if-caller-didn-t-pick-previous-response.patch 1970-01-01 03:00:00.000000000 +0300
+++ libcacard-2.5.0/debian/patches/dont-fail-if-caller-didn-t-pick-previous-response.patch 2017-03-04 11:57:07.000000000 +0300
@@ -0,0 +1,47 @@
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 12 Aug 2016 11:31:37 +0200
+Subject: Do not fail, if the caller didn't pick up response from previous call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Commit-Id: ad591057c301d3120c3f7e5a5826342c8bf523bc
+
+During our testing of a new CAC driver in OpenSC, with this library, we
+encountered a problem with |libcacard| failing and the driver returning
+only a fraction of the requested objects.
+
+The problem is that the Emulator wants to return the data (properly
+signalized by 61 (RESPONSE BYTES) in SW1), but this is ignored for some
+reason in some of our calls from OpenSC. The Emulator should not fail
+hard for the next independent request, rather silently drop the buffer
+and serve the ongoing APDU request (I would left for consideration to
+somehow log such problem).
+
+Patch was successfully tested on Fedora 24 host and solves our problem
+(though we worked around the problem already in the driver too).
+
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ src/card_7816.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/card_7816.c b/src/card_7816.c
+index 8b12689..b598ef9 100644
+--- a/src/card_7816.c
++++ b/src/card_7816.c
+@@ -732,11 +732,9 @@ vcard_process_apdu(VCard *card, VCardAPDU *apdu, VCardResponse **response)
+ }
+ buffer_response = vcard_get_buffer_response(card);
+ if (buffer_response && apdu->a_ins != VCARD7816_INS_GET_RESPONSE) {
+- /* clear out buffer_response, return an error */
++ /* clear out buffer_response, do not return an error */
+ vcard_set_buffer_response(card, NULL);
+ vcard_buffer_response_delete(buffer_response);
+- *response = vcard_make_response(VCARD7816_STATUS_EXC_ERROR);
+- return VCARD_DONE;
+ }
+
+ status = vcard_process_applet_apdu(card, apdu, response);
+--
+2.1.4
+
diff -Nru libcacard-2.5.0/debian/patches/series libcacard-2.5.0/debian/patches/series
--- libcacard-2.5.0/debian/patches/series 2015-11-07 12:50:06.000000000 +0300
+++ libcacard-2.5.0/debian/patches/series 2017-03-04 11:57:07.000000000 +0300
@@ -1 +1,3 @@
remove-requires.private.patch
+smartcard-fix-memory-leak-in-vcard_apdu_new-CVE-2017-6414.patch
+dont-fail-if-caller-didn-t-pick-previous-response.patch
diff -Nru libcacard-2.5.0/debian/patches/smartcard-fix-memory-leak-in-vcard_apdu_new-CVE-2017-6414.patch libcacard-2.5.0/debian/patches/smartcard-fix-memory-leak-in-vcard_apdu_new-CVE-2017-6414.patch
--- libcacard-2.5.0/debian/patches/smartcard-fix-memory-leak-in-vcard_apdu_new-CVE-2017-6414.patch 1970-01-01 03:00:00.000000000 +0300
+++ libcacard-2.5.0/debian/patches/smartcard-fix-memory-leak-in-vcard_apdu_new-CVE-2017-6414.patch 2017-03-04 11:56:50.000000000 +0300
@@ -0,0 +1,40 @@
+From: Li Qiang <liq3ea@gmail.com>
+Date: Tue, 21 Feb 2017 22:34:20 -0800
+Subject: smartcard: fix memory leak in vcard_apdu_new
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Commit-Id: 9113dc6a303604a2d9812ac70c17d076ef11886c
+Bug-Debian: http://bugs.debian.org/856501
+
+In the error path, 'new_apdu->a_data' is not freed.
+This can be triggered by the guest continuely.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+---
+ src/card_7816.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/card_7816.c b/src/card_7816.c
+index b598ef9..0082504 100644
+--- a/src/card_7816.c
++++ b/src/card_7816.c
+@@ -341,12 +341,12 @@ vcard_apdu_new(unsigned char *raw_apdu, int len, vcard_7816_status_t *status)
+ new_apdu->a_len = len;
+ *status = vcard_apdu_set_class(new_apdu);
+ if (*status != VCARD7816_STATUS_SUCCESS) {
+- g_free(new_apdu);
++ vcard_apdu_delete(new_apdu);
+ return NULL;
+ }
+ *status = vcard_apdu_set_length(new_apdu);
+ if (*status != VCARD7816_STATUS_SUCCESS) {
+- g_free(new_apdu);
++ vcard_apdu_delete(new_apdu);
+ new_apdu = NULL;
+ }
+ return new_apdu;
+--
+2.1.4
+
Reply to: