diff mbox series

[meta-oe,whinlatter,2/3] opensc: patch CVE-2025-66037

Message ID 20260407095245.3971755-2-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,whinlatter,1/3] opensc: patch CVE-2025-49010 | expand

Commit Message

Gyorgy Sarvari April 7, 2026, 9:52 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66037

Backport the patch that is referenced by the upstream wiki
page[1] that is related to this vulnerability.

[1]: https://github.com/OpenSC/OpenSC/wiki/CVE-2025-66037

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../opensc/opensc/CVE-2025-66037.patch        | 34 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.26.1.bb   |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch
new file mode 100644
index 0000000000..2c0fcab23e
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch
@@ -0,0 +1,34 @@ 
+From 29fce41f0b65e8467745b385b0bafbb79e72d33d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 25 Nov 2025 15:58:02 +0100
+Subject: [PATCH] pkcs15: Avoid buffer overrun on invalid data
+
+Invalid data can contain zero-length buffer, which after copying
+was dereferenced without length check
+
+Credit: Aldo Ristori
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2025-66037
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/65fc211015cfcac27b10d0876054156c97225f50]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/libopensc/pkcs15-pubkey.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index 83f3feb26..e6bf803f4 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -1328,6 +1328,10 @@ sc_pkcs15_pubkey_from_spki_fields(struct sc_context *ctx, struct sc_pkcs15_pubke
+ 	       "sc_pkcs15_pubkey_from_spki_fields() called: %p:%"SC_FORMAT_LEN_SIZE_T"u\n%s",
+ 	       buf, buflen, sc_dump_hex(buf, buflen));
+ 
++	if (buflen < 1) {
++		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "subjectPublicKeyInfo can not be empty");
++	}
++
+ 	tmp_buf = malloc(buflen);
+ 	if (!tmp_buf) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
diff --git a/meta-oe/recipes-support/opensc/opensc_0.26.1.bb b/meta-oe/recipes-support/opensc/opensc_0.26.1.bb
index 3aed590347..ce982c4aa9 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.26.1.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.26.1.bb
@@ -14,6 +14,7 @@  DEPENDS = "openssl"
 SRCREV = "043343d2df7b09d1938bc3dc313d86a96be457cc"
 SRC_URI = "git://github.com/OpenSC/OpenSC;branch=0.26.1;protocol=https \
            file://CVE-2025-49010.patch \
+           file://CVE-2025-66037.patch \
            "
 
 CVE_STATUS[CVE-2024-8443] = "fixed-version: this is fixed since 0.26.0"