Bug#1037025: unblock: opensc/0.23.0-0.3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1037025: unblock: opensc/0.23.0-0.3
From: Bastian Germann <bage@debian.org>
Date: Thu, 1 Jun 2023 23:37:00 +0200
Message-id: <[🔎] 4d5527b0-67be-6e5d-50ae-1cf4249aa04e@debian.org>
Reply-to: Bastian Germann <bage@debian.org>, 1037025@bugs.debian.org
In-reply-to: <168564893382.520055.3646252174575924168.reportbug@eldamar.lan>

Package: release.debian.org
Control: affects -1 + src:opensc
X-Debbugs-Cc: opensc@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package opensc.

[ Reason ]
Fixes CVE-2023-2977.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock opensc/0.23.0-0.3

diff -Nru opensc-0.23.0/debian/changelog opensc-0.23.0/debian/changelog
--- opensc-0.23.0/debian/changelog	2023-02-13 17:13:20.000000000 +0100
+++ opensc-0.23.0/debian/changelog	2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,10 @@
+opensc (0.23.0-0.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-2977 with upstream patch.
+
+ -- Bastian Germann <bage@debian.org>  Thu, 01 Jun 2023 22:30:18 +0200
+
 opensc (0.23.0-0.2) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
--- opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch	1970-01-01 01:00:00.000000000 +0100
+++ opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch	2023-06-01 22:30:18.000000000 +0200
@@ -0,0 +1,57 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: pkcs15init: correct left length calculation to fix buffer overrun bug.
+ Fixes #2785
+
+From https://github.com/OpenSC/OpenSC/issues/2785:
+The newly found issue exists in pkcs15-init module. Like the original bug in libopensc,
+cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2 tags.
+The pointer p is moved after each sc_asn1_find_tag invocation,
+which results in the miscalculation of the length of left bytes in buffer
+and hence reading beyond the end of the buffer.
+
+CVE-2023-2977 was assigned for this issue.
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
++	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)
diff -Nru opensc-0.23.0/debian/patches/series opensc-0.23.0/debian/patches/series
--- opensc-0.23.0/debian/patches/series	2023-02-13 17:13:04.000000000 +0100
+++ opensc-0.23.0/debian/patches/series	2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,4 @@
 0001-Use-sysconfdir-opensc-for-opensc.conf.patch
 0002-Fix-private-key-import.patch
 0003-Log-OpenSSL-errors.patch
+0004-pkcs15init-correct-left-length-calculation.patch

Reply to:

Follow-Ups:
- Processed: unblock: opensc/0.23.0-0.3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1037025: marked as done (unblock: opensc/0.23.0-0.3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: opensc/0.23.0-0.3
Next by Date: Processed: tagging 1036139, tagging 1036139, tagging 1036140, tagging 1036141, tagging 1036142, tagging 1036143 ...
Previous by thread: Bug#1037024: marked as done (nmu: modsecurity-apache_2.9.7-1)
Next by thread: Processed: unblock: opensc/0.23.0-0.3
Index(es):
- Date
- Thread