[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1004261: marked as done (buster-pu: package opensc/0.19.0-1+deb10u1)

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id <540de30a27d37c3ff416b94b1adf7ff2a2cab257.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1004261,
regarding buster-pu: package opensc/0.19.0-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1004261: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004261
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian OpenSC Maintainers <pkg-opensc-maint@lists.alioth.debian.org>, team@security.debian.org

  * CVE-2019-15945: Out-of-bounds access of an ASN.1 Bitstring.
    (Closes: #939668)
  * CVE-2019-15946: Out-of-bounds access of an ASN.1 Octet string.
    (Closes: #939669)
  * CVE-2019-19479: Incorrect read operation in the Setec driver.
    (Closes: #947383)
  * CVE-2019-20792: Double free in the Coolkey driver.
  * CVE-2020-26570: Heap-based buffer overflow in the Oberthur driver.
    (Closes: #972037)
  * CVE-2020-26571: Stack-based buffer overflow in the GPK driver.
    (Closes: #972036)
  * CVE-2020-26572: Stack-based buffer overflow in the TCOS driver.
    (Closes: #972035)

diff -Nru opensc-0.19.0/debian/changelog opensc-0.19.0/debian/changelog
--- opensc-0.19.0/debian/changelog	2018-09-30 23:26:03.000000000 +0300
+++ opensc-0.19.0/debian/changelog	2022-01-23 19:32:38.000000000 +0200
@@ -1,3 +1,22 @@
+opensc (0.19.0-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-15945: Out-of-bounds access of an ASN.1 Bitstring.
+    (Closes: #939668)
+  * CVE-2019-15946: Out-of-bounds access of an ASN.1 Octet string.
+    (Closes: #939669)
+  * CVE-2019-19479: Incorrect read operation in the Setec driver.
+    (Closes: #947383)
+  * CVE-2019-20792: Double free in the Coolkey driver.
+  * CVE-2020-26570: Heap-based buffer overflow in the Oberthur driver.
+    (Closes: #972037)
+  * CVE-2020-26571: Stack-based buffer overflow in the GPK driver.
+    (Closes: #972036)
+  * CVE-2020-26572: Stack-based buffer overflow in the TCOS driver.
+    (Closes: #972035)
+
+ -- Adrian Bunk <bunk@debian.org>  Sun, 23 Jan 2022 19:32:38 +0200
+
 opensc (0.19.0-1) unstable; urgency=medium
 
   * New upstream release (Closes: 908363, 909444)
diff -Nru opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
--- opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,42 @@
+From 0509b2f61ca948312a15d18712a130f7bffd512e Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Tue, 27 Aug 2019 15:17:17 +0200
+Subject: fixed out of bounds access of ASN.1 Bitstring
+
+Credit to OSS-Fuzz
+---
+ src/libopensc/asn1.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index 3262ed80..fd972238 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -570,16 +570,20 @@ static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,
+ {
+ 	const u8 *in = inbuf;
+ 	u8 *out = (u8 *) outbuf;
+-	int zero_bits = *in & 0x07;
+-	size_t octets_left = inlen - 1;
+ 	int i, count = 0;
++	int zero_bits;
++	size_t octets_left;
+ 
+-	memset(outbuf, 0, outlen);
+-	in++;
+ 	if (outlen < octets_left)
+ 		return SC_ERROR_BUFFER_TOO_SMALL;
+ 	if (inlen < 1)
+ 		return SC_ERROR_INVALID_ASN1_OBJECT;
++
++	zero_bits = *in & 0x07;
++	octets_left = inlen - 1;
++	in++;
++	memset(outbuf, 0, outlen);
++
+ 	while (octets_left) {
+ 		/* 1st octet of input:  ABCDEFGH, where A is the MSB */
+ 		/* 1st octet of output: HGFEDCBA, where A is the LSB */
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch
--- opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0002-fixed-compiler-warning.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,36 @@
+From 28869a7bd4fd928b498638fff27b76b56e58f4d6 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Tue, 27 Aug 2019 15:27:15 +0200
+Subject: fixed compiler warning
+
+---
+ src/libopensc/asn1.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index fd972238..10572292 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -574,15 +574,14 @@ static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,
+ 	int zero_bits;
+ 	size_t octets_left;
+ 
+-	if (outlen < octets_left)
+-		return SC_ERROR_BUFFER_TOO_SMALL;
+ 	if (inlen < 1)
+ 		return SC_ERROR_INVALID_ASN1_OBJECT;
+-
++	memset(outbuf, 0, outlen);
+ 	zero_bits = *in & 0x07;
+-	octets_left = inlen - 1;
+ 	in++;
+-	memset(outbuf, 0, outlen);
++	octets_left = inlen - 1;
++	if (outlen < octets_left)
++		return SC_ERROR_BUFFER_TOO_SMALL;
+ 
+ 	while (octets_left) {
+ 		/* 1st octet of input:  ABCDEFGH, where A is the MSB */
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
--- opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,26 @@
+From 944ecdcc4b9906810d032d97e882ff4f16f116e2 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Tue, 27 Aug 2019 15:21:46 +0200
+Subject: Fixed out of bounds access in ASN.1 Octet string
+
+Credit to OSS-Fuzz
+---
+ src/libopensc/asn1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index 10572292..4bcbdc22 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -1466,7 +1466,7 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
+ 
+ 			/* Strip off padding zero */
+ 			if ((entry->flags & SC_ASN1_UNSIGNED)
+-			 && obj[0] == 0x00 && objlen > 1) {
++					&& objlen > 1 && obj[0] == 0x00) {
+ 				objlen--;
+ 				obj++;
+ 			}
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch
--- opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0004-fixed-UNKNOWN-READ.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,27 @@
+From 6d8036d3f516f54936aeae6d138cd34cb7db7f1f Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Sun, 3 Nov 2019 04:45:28 +0100
+Subject: fixed  UNKNOWN READ
+
+Reported by OSS-Fuzz
+https://oss-fuzz.com/testcase-detail/5681169970757632
+---
+ src/libopensc/card-setcos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-setcos.c b/src/libopensc/card-setcos.c
+index f0ed4343..2145a0d2 100644
+--- a/src/libopensc/card-setcos.c
++++ b/src/libopensc/card-setcos.c
+@@ -869,7 +869,7 @@ static void parse_sec_attr_44(sc_file_t *file, const u8 *buf, size_t len)
+ 			}
+ 
+ 			/* Encryption key present ? */
+-			iPinCount = iACLen - 1;		
++			iPinCount = iACLen > 0 ? iACLen - 1 : 0;
+ 
+ 			if (buf[iOffset] & 0x20) {
+ 				int iSC;
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch
--- opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0005-Heap-buffer-overflow-WRITE.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,34 @@
+From 32dded387736eb8eda43ac9f2ea40013f1e7a197 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 30 Jul 2020 02:21:17 +0200
+Subject: Heap-buffer-overflow WRITE
+
+fixes https://oss-fuzz.com/testcase-detail/5088104168554496
+---
+ src/libopensc/pkcs15-oberthur.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 3415be7c..e3dd9d7d 100644
+--- a/src/libopensc/pkcs15-oberthur.c
++++ b/src/libopensc/pkcs15-oberthur.c
+@@ -267,10 +267,14 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
+ 	}
+ 	else	{
+ 		int rec;
+-		int offs = 0;
+-		int rec_len = file->record_length;
++		size_t offs = 0;
++		size_t rec_len = file->record_length;
+ 
+ 		for (rec = 1; ; rec++)   {
++			if (rec > file->record_count) {
++				rv = 0;
++				break;
++			}
+ 			rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR);
+ 			if (rv == SC_ERROR_RECORD_NOT_FOUND)   {
+ 				rv = 0;
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch
--- opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0006-fixed-invalid-read.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,47 @@
+From 5aad15a731fcc2918179e092e216aa318b851821 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Mon, 18 May 2020 17:25:32 +0200
+Subject: fixed invalid read
+
+fixes https://oss-fuzz.com/testcase-detail/5765246676631552
+---
+ src/libopensc/pkcs15-gemsafeGPK.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-gemsafeGPK.c b/src/libopensc/pkcs15-gemsafeGPK.c
+index f51651f4..30d1dfe6 100644
+--- a/src/libopensc/pkcs15-gemsafeGPK.c
++++ b/src/libopensc/pkcs15-gemsafeGPK.c
+@@ -207,7 +207,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
+ 
+ 	u8 sysrec[7];
+ 	int num_keyinfo = 0;
+-	keyinfo kinfo[8]; /* will loook for 8 keys */
++	keyinfo kinfo[9]; /* will look for 9 keys */
+ 	u8 modulus_buf[ 1 + 1024 / 8]; /* tag+modulus */
+ 	u8 *cp;
+ 	char buf[256];
+@@ -257,9 +257,9 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
+ 
+ 	/* There may be more then one key in the directory. */
+ 	/* we need to find them so we can associate them with the */
+-	/* the certificate.  The files are 0007 to 000f */
++	/* the certificate.  The files are 0007 to 000F */
+ 
+-	for (i = 7; i < 16; i++) {
++	for (i = 0x7; i <= 0xF; i++) {
+ 		path.value[0] = 0x00;
+ 		path.value[1] = i;
+ 		path.len = 2;	
+@@ -299,7 +299,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
+ 		while (j--) 
+ 			*cp++ =  modulus_buf[j + 1];
+ 		num_keyinfo++;
+-	} 
++	}
+ 
+ 	/* Get the gemsafe data with the cert */
+ 	 sc_format_path("3F000200004", &path);
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch
--- opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0007-prevent-out-of-bounds-write.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,26 @@
+From 6f4f45133db2c8c3f74d188a0286304d120526e9 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 4 Jun 2020 10:04:10 +0200
+Subject: prevent out of bounds write
+
+fixes https://oss-fuzz.com/testcase-detail/5226571123392512
+---
+ src/libopensc/card-tcos.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
+index f880295a..f8f92bc7 100644
+--- a/src/libopensc/card-tcos.c
++++ b/src/libopensc/card-tcos.c
+@@ -628,6 +628,8 @@ static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len,
+ 	apdu.data = sbuf;
+ 	apdu.lc = apdu.datalen = crgram_len+1;
+ 	sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);
++	if (sizeof sbuf - 1 < crgram_len)
++		return SC_ERROR_INVALID_ARGUMENTS;
+ 	memcpy(sbuf+1, crgram, crgram_len);
+ 
+ 	r = sc_transmit_apdu(card, &apdu);
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch
--- opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,31 @@
+From b13c11ee1838a1d68962b9c5a92c3c06fc02fa40 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 4 Dec 2019 15:54:43 +0100
+Subject: coolkey: Make sure the object ID is unique when filling list
+
+Thanks to oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208
+---
+ src/libopensc/card-coolkey.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index b97559cc..e5fd3795 100644
+--- a/src/libopensc/card-coolkey.c
++++ b/src/libopensc/card-coolkey.c
+@@ -1956,6 +1956,11 @@ coolkey_add_object(coolkey_private_data_t *priv, unsigned long object_id, const
+ 	new_object.id = object_id;
+ 	new_object.length = object_length;
+ 
++	/* The object ID needs to be unique */
++	if (coolkey_find_object_by_id(&priv->objects_list, object_id) != NULL) {
++		return SC_ERROR_INTERNAL;
++	}
++
+ 	if (object_data) {
+ 		new_object.data = malloc(object_length + add_v1_record);
+ 		if (new_object.data == NULL) {
+-- 
+2.20.1
+
diff -Nru opensc-0.19.0/debian/patches/series opensc-0.19.0/debian/patches/series
--- opensc-0.19.0/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ opensc-0.19.0/debian/patches/series	2022-01-23 19:32:38.000000000 +0200
@@ -0,0 +1,8 @@
+0001-fixed-out-of-bounds-access-of-ASN.1-Bitstring.patch
+0002-fixed-compiler-warning.patch
+0003-Fixed-out-of-bounds-access-in-ASN.1-Octet-string.patch
+0004-fixed-UNKNOWN-READ.patch
+0005-Heap-buffer-overflow-WRITE.patch
+0006-fixed-invalid-read.patch
+0007-prevent-out-of-bounds-write.patch
+0008-coolkey-Make-sure-the-object-ID-is-unique-when-filli.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam

--- End Message ---
Reply to: