new file mode 100644
@@ -0,0 +1,34 @@
+From f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:22:02 +0200
+Subject: [PATCH] pkcs15-tcos: Check number of read bytes for cert
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/15
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index a84001e122..4d02a98ee1 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -62,7 +62,8 @@ static int insert_cert(
+ "Select(%s) failed\n", path);
+ return 1;
+ }
+- if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){
++ r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
++ if (r <= 0){
+ sc_log(ctx,
+ "ReadBinary(%s) failed\n", path);
+ return 2;
+--
+2.34.1
new file mode 100644
@@ -0,0 +1,91 @@
+From a1d8c01c1cabd115dda8c298941d1786fb4c5c2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 12:53:52 +0200
+Subject: [PATCH] pkcs15-tcos: Check certificate length before accessing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_encode/8
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1d8c01c1cabd115dda8c298941d1786fb4c5c2f]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index 2bd275c4f4..ecaa66edf2 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -45,6 +45,7 @@ static int insert_cert(
+ struct sc_pkcs15_cert_info cert_info;
+ struct sc_pkcs15_object cert_obj;
+ unsigned char cert[20];
++ size_t cert_len = 0;
+ int r;
+
+ memset(&cert_info, 0, sizeof(cert_info));
+@@ -57,25 +58,31 @@ static int insert_cert(
+ strlcpy(cert_obj.label, label, sizeof(cert_obj.label));
+ cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;
+
+- if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){
+- sc_log(ctx,
+- "Select(%s) failed\n", path);
++ if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) {
++ sc_log(ctx, "Select(%s) failed", path);
+ return 1;
+ }
+ r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
+- if (r <= 0){
+- sc_log(ctx,
+- "ReadBinary(%s) failed\n", path);
++ if (r <= 0) {
++ sc_log(ctx, "ReadBinary(%s) failed\n", path);
+ return 2;
+ }
+- if(cert[0]!=0x30 || cert[1]!=0x82){
+- sc_log(ctx,
+- "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
++ cert_len = r; /* actual number of read bytes */
++ if (cert_len < 7 || (size_t)(7 + cert[5]) > cert_len) {
++ sc_log(ctx, "Invalid certificate length");
++ return 3;
++ }
++ if (cert[0] != 0x30 || cert[1] != 0x82) {
++ sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
+ return 3;
+ }
+
+ /* some certificates are prefixed by an OID */
+- if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){
++ if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) {
++ if ((size_t)(9 + cert[5]) > cert_len) {
++ sc_log(ctx, "Invalid certificate length");
++ return 3;
++ }
+ cert_info.path.index=6+cert[5];
+ cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;
+ } else {
+@@ -83,12 +90,12 @@ static int insert_cert(
+ cert_info.path.count=(cert[2]<<8) + cert[3] + 4;
+ }
+
+- r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+- if(r!=SC_SUCCESS){
+- sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed\n", path);
++ r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
++ if (r != SC_SUCCESS) {
++ sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path);
+ return 4;
+ }
+- sc_log(ctx, "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count);
++ sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count);
+ return 0;
+ }
+
+--
+2.34.1
new file mode 100644
@@ -0,0 +1,83 @@
+From 673065630bf4aaf03c370fc791ef6a6239431214 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 09:15:43 +0200
+Subject: [PATCH] pkcs15-gemsafeV1: Check length of buffer for object
+
+Number of actually read bytes may differ from
+the stated object length.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_crypt/15
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/673065630bf4aaf03c370fc791ef6a6239431214]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-gemsafeV1.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-gemsafeV1.c b/src/libopensc/pkcs15-gemsafeV1.c
+index add4c3e68..46cc420bf 100644
+--- a/src/libopensc/pkcs15-gemsafeV1.c
++++ b/src/libopensc/pkcs15-gemsafeV1.c
+@@ -168,6 +168,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ struct sc_file *file;
+ size_t objlen, certlen;
+ unsigned int ind, i=0;
++ int read_len;
+
+ sc_format_path(GEMSAFE_PATH, &path);
+ r = sc_select_file(card, &path, &file);
+@@ -176,9 +177,11 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ sc_file_free(file);
+
+ /* Initial read */
+- r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
+- if (r < 0)
++ read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
++ if (read_len <= 2) {
++ sc_log(card->ctx, "Invalid size of object data: %d", read_len);
+ return SC_ERROR_INTERNAL;
++ }
+
+ /* Actual stored object size is encoded in first 2 bytes
+ * (allocated EF space is much greater!)
+@@ -207,7 +210,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ * the private key.
+ */
+ ind = 2; /* skip length */
+- while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
++ while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
+ if (ibuf[ind+1] == 0xFE) {
+ gemsafe_prkeys[i].ref = ibuf[ind+4];
+ sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
+@@ -234,7 +237,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ /* Read entire file, then dissect in memory.
+ * Gemalto ClassicClient seems to do it the same way.
+ */
+- iptr = ibuf + GEMSAFE_READ_QUANTUM;
++ iptr = ibuf + read_len;
+ while ((size_t)(iptr - ibuf) < objlen) {
+ r = sc_read_binary(card, iptr - ibuf, iptr,
+ MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0);
+@@ -242,7 +245,14 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ sc_log(card->ctx, "Could not read cert object");
+ return SC_ERROR_INTERNAL;
+ }
+- iptr += GEMSAFE_READ_QUANTUM;
++ if (r == 0)
++ break;
++ read_len += r;
++ iptr += r;
++ }
++ if ((size_t)read_len < objlen) {
++ sc_log(card->ctx, "Could not read cert object");
++ return SC_ERROR_INTERNAL;
+ }
+
+ /* Search buffer for certificates, they start with 0x3082. */
+--
+2.34.1
new file mode 100644
@@ -0,0 +1,49 @@
+From e20ca25204c9c5e36f53ae92ddf017cd17d07e31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 10:16:39 +0200
+Subject: [PATCH] pkcs15-setcos: Check length of generated key
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/26
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/e20ca25204c9c5e36f53ae92ddf017cd17d07e31]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-setcos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+
+diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c
+index bfee78cd6..57d5e83bf 100644
+--- a/src/pkcs15init/pkcs15-setcos.c
++++ b/src/pkcs15init/pkcs15-setcos.c
+@@ -498,6 +498,9 @@ setcos_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj);
+ LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed");
+
++ if (data_obj.DataLen < 3 || data_obj.DataLen < pubkey->u.rsa.modulus.len)
++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key");
++
+ keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]); /* modulus bit length */
+ if (keybits != key_info->modulus_length) {
+ sc_log(ctx,
+@@ -505,10 +508,11 @@ setcos_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ keybits, key_info->modulus_length);
+ LOG_TEST_RET(ctx, SC_ERROR_PKCS15INIT, "Failed to generate key");
+ }
+- memcpy (pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
++ memcpy(pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
++ } else {
++ sc_file_free(file);
+ }
+
+- sc_file_free(file);
+ return r;
+ }
+
+--
+2.34.1
new file mode 100644
@@ -0,0 +1,33 @@
+From 2b6cd52775b5448f6a993922a30c7a38d9626134 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 11:38:25 +0200
+Subject: [PATCH] pkcs15-sc-hsm: Properly check length of file list
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/8
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/2b6cd52775b5448f6a993922a30c7a38d9626134]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-sc-hsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c
+index 71f96cfc56..db1a2b518f 100644
+--- a/src/pkcs15init/pkcs15-sc-hsm.c
++++ b/src/pkcs15init/pkcs15-sc-hsm.c
+@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(struct sc_pkcs15_card *p15card, u8 range)
+ LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier");
+
+ for (j = 0; j < 256; j++) {
+- for (i = 0; i < filelistlength; i += 2) {
++ for (i = 0; i + 1 < filelistlength; i += 2) {
+ if ((filelist[i] == range) && (filelist[i + 1] == j)) {
+ break;
+ }
+--
+2.34.1
new file mode 100644
@@ -0,0 +1,63 @@
+From dd554a2e1e31e6cb75c627c653652696d61e8de8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 12:33:31 +0200
+Subject: [PATCH] card-coolkey: Check length of buffer before conversion
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_reader/3
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/dd554a2e1e31e6cb75c627c653652696d61e8de8]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-coolkey.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index ff3ffd9a7..e0a5ae774 100644
+--- a/src/libopensc/card-coolkey.c
++++ b/src/libopensc/card-coolkey.c
+@@ -1684,6 +1684,7 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ u8 key_number;
+ size_t params_len;
+ u8 buf[MAX_COMPUTE_BUF + 2];
++ size_t buf_len;
+ u8 *buf_out;
+
+ SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+@@ -1724,8 +1725,6 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ ushort2bebytes(params.init.buf_len, 0);
+ } else {
+ /* The data fits in APDU. Copy it to the params object */
+- size_t buf_len;
+-
+ params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
+
+ params_len = sizeof(params.init) + datalen;
+@@ -1745,6 +1744,7 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ if (r < 0) {
+ goto done;
+ }
++ buf_len = crypt_out_len_p;
+
+ if (datalen > MAX_COMPUTE_BUF) {
+ u8 len_buf[2];
+@@ -1763,7 +1763,12 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ priv->nonce, sizeof(priv->nonce));
+
+ } else {
+- size_t out_length = bebytes2ushort(buf);
++ size_t out_length;
++ if (buf_len < 2) {
++ r = SC_ERROR_WRONG_LENGTH;
++ goto done;
++ }
++ out_length = bebytes2ushort(buf);
+ if (out_length > sizeof buf - 2) {
+ r = SC_ERROR_WRONG_LENGTH;
+ goto done;
+--
+2.34.1
@@ -46,6 +46,12 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
file://CVE-2024-45617-0003.patch \
file://CVE-2024-45618-0001.patch \
file://CVE-2024-45618-0002.patch \
+ file://CVE-2024-45619-0001.patch \
+ file://CVE-2024-45619-0002.patch \
+ file://CVE-2024-45619-0003.patch \
+ file://CVE-2024-45619-0004.patch \
+ file://CVE-2024-45619-0005.patch \
+ file://CVE-2024-45619-0006.patch \
"
# CVE-2021-34193 is a duplicate CVE covering the 5 individual