Bug#1037025: marked as done (unblock: opensc/0.23.0-0.3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 02 Jun 2023 21:52:56 +0000
with message-id <E1q5Chc-007d4B-6s@respighi.debian.org>
and subject line unblock opensc
has caused the Debian Bug report #1037025,
regarding unblock: opensc/0.23.0-0.3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1037025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037025
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: opensc/0.23.0-0.3
• From: Bastian Germann <bage@debian.org>
• Date: Thu, 1 Jun 2023 23:37:00 +0200
• Message-id: <[🔎] 4d5527b0-67be-6e5d-50ae-1cf4249aa04e@debian.org>
• In-reply-to: <168564893382.520055.3646252174575924168.reportbug@eldamar.lan>
• References: <168564893382.520055.3646252174575924168.reportbug@eldamar.lan> <168564893382.520055.3646252174575924168.reportbug@eldamar.lan>

Package: release.debian.org
Control: affects -1 + src:opensc
X-Debbugs-Cc: opensc@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package opensc.

[ Reason ]
Fixes CVE-2023-2977.

[ Risks ]
None.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock opensc/0.23.0-0.3

diff -Nru opensc-0.23.0/debian/changelog opensc-0.23.0/debian/changelog
--- opensc-0.23.0/debian/changelog	2023-02-13 17:13:20.000000000 +0100
+++ opensc-0.23.0/debian/changelog	2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,10 @@
+opensc (0.23.0-0.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2023-2977 with upstream patch.
+
+ -- Bastian Germann <bage@debian.org>  Thu, 01 Jun 2023 22:30:18 +0200
+
 opensc (0.23.0-0.2) unstable; urgency=medium
 
   * Non-maintainer upload
diff -Nru opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch
--- opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch	1970-01-01 01:00:00.000000000 +0100
+++ opensc-0.23.0/debian/patches/0004-pkcs15init-correct-left-length-calculation.patch	2023-06-01 22:30:18.000000000 +0200
@@ -0,0 +1,57 @@
+Origin: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: pkcs15init: correct left length calculation to fix buffer overrun bug.
+ Fixes #2785
+
+From https://github.com/OpenSC/OpenSC/issues/2785:
+The newly found issue exists in pkcs15-init module. Like the original bug in libopensc,
+cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2 tags.
+The pointer p is moved after each sc_asn1_find_tag invocation,
+which results in the miscalculation of the length of left bytes in buffer
+and hence reading beyond the end of the buffer.
+
+CVE-2023-2977 was assigned for this issue.
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
++	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)
diff -Nru opensc-0.23.0/debian/patches/series opensc-0.23.0/debian/patches/series
--- opensc-0.23.0/debian/patches/series	2023-02-13 17:13:04.000000000 +0100
+++ opensc-0.23.0/debian/patches/series	2023-06-01 22:30:18.000000000 +0200
@@ -1,3 +1,4 @@
 0001-Use-sysconfdir-opensc-for-opensc.conf.patch
 0002-Fix-private-key-import.patch
 0003-Log-OpenSSL-errors.patch
+0004-pkcs15init-correct-left-length-calculation.patch

--- End Message ---

--- Begin Message ---

• To: 1037025-done@bugs.debian.org
• Subject: unblock opensc
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Fri, 02 Jun 2023 21:52:56 +0000
• Message-id: <E1q5Chc-007d4B-6s@respighi.debian.org>

Unblocked.

--- End Message ---