diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch new file mode 100644 index 0000000000..2c0fcab23e --- /dev/null +++ b/meta-oe/recipes-support/opensc/opensc/CVE-2025-66037.patch @@ -0,0 +1,34 @@ +From 29fce41f0b65e8467745b385b0bafbb79e72d33d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 25 Nov 2025 15:58:02 +0100 +Subject: [PATCH] pkcs15: Avoid buffer overrun on invalid data + +Invalid data can contain zero-length buffer, which after copying +was dereferenced without length check + +Credit: Aldo Ristori + +Signed-off-by: Jakub Jelen + +CVE: CVE-2025-66037 +Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/65fc211015cfcac27b10d0876054156c97225f50] +Signed-off-by: Gyorgy Sarvari +--- + src/libopensc/pkcs15-pubkey.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c +index 83f3feb26..e6bf803f4 100644 +--- a/src/libopensc/pkcs15-pubkey.c ++++ b/src/libopensc/pkcs15-pubkey.c +@@ -1328,6 +1328,10 @@ sc_pkcs15_pubkey_from_spki_fields(struct sc_context *ctx, struct sc_pkcs15_pubke + "sc_pkcs15_pubkey_from_spki_fields() called: %p:%"SC_FORMAT_LEN_SIZE_T"u\n%s", + buf, buflen, sc_dump_hex(buf, buflen)); + ++ if (buflen < 1) { ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "subjectPublicKeyInfo can not be empty"); ++ } ++ + tmp_buf = malloc(buflen); + if (!tmp_buf) { + r = SC_ERROR_OUT_OF_MEMORY; diff --git a/meta-oe/recipes-support/opensc/opensc_0.26.1.bb b/meta-oe/recipes-support/opensc/opensc_0.26.1.bb index 3aed590347..ce982c4aa9 100644 --- a/meta-oe/recipes-support/opensc/opensc_0.26.1.bb +++ b/meta-oe/recipes-support/opensc/opensc_0.26.1.bb @@ -14,6 +14,7 @@ DEPENDS = "openssl" SRCREV = "043343d2df7b09d1938bc3dc313d86a96be457cc" SRC_URI = "git://github.com/OpenSC/OpenSC;branch=0.26.1;protocol=https \ file://CVE-2025-49010.patch \ + file://CVE-2025-66037.patch \ " CVE_STATUS[CVE-2024-8443] = "fixed-version: this is fixed since 0.26.0"