From patchwork Wed Jan 15 07:24:21 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55542
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 02EE2C02185
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:47 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web10.15804.1736925883934177884
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:44 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F5fnok004599
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:43 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443s1pkjj0-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=GOwPStC+Y8/F16ZYH9p6Eul0N2P59UP0+FKGXWR4zbZdjyE8PIa21pyQJpeXcLlOdl+nSN44TCDBP+WLN4s7aBeRjMUqF6Pw0T4OVo0Uing9uJF+OzQnwrfMLyiioZsNcYEln6/KW39x68LoEX2sCYIXPdxll0FkH565h894+rW8v1jM6VLKNKzL2voUS1E59cisB0Mv70Bu+HicqsjOtp5m1SvZzrk2lpF9MVltPxHorRzq/jaoR35KapirC4W4BSXZGfdXzoJ3c3Q8EPa5OeOFpvGT5Ut/VFTW3E7i5ZTfOgaxsvitKkjzwncF1C7B4in4WciX11tOo9APoe+4MA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=d5tqbWnYIZjGADl/d6SxtxRLZihpqGDHBYi05w0gcHc=;
 b=v6eXJUEVQXDOrODt7xmUZqABv6R6bLb11FHqCr4U5wX62C1sHEAGkjy/yBbQYHqcPxy5BFMf0hPubyozlFJTvivRkuuyZQfyNgP1A239Zh1do8x1hpzgV3JnjWCwFS6aVeMb4YENpfpFV7ccjf8RnYCcaxonX6bQalqV/0GyX0BVIhtQHXs9R5/P03iz5MsIhhtZAemsK7D2jNaryK3MzdAxic0s70NBZPzkpLIL6Vp/NS5eFEIntH3bzoauFAvG+bQJoBxdDij7wRKCHmSUiR0RxZn2kGkKkDls6jqKJT1bPz2n2IUf1ampWsLpMQeRxB5xdTZaqeRFbqPec7YABg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:41 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:39 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 1/8] opensc: fix CVE-2024-1454
Date: Wed, 15 Jan 2025 15:24:21 +0800
Message-Id: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 4c9982a7-45de-44d1-5725-08dd3535ac1d
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 9lS3goGNk5OJiIllptdW+J7Icb0PygmcU/bKB4JCeRbGstUVMdElcpmkeJWFshsRywVtt/3vw1z+/9ILRFjlJTZaJvUocCM0iYIs+D6f3gOGmMl7hLHOXbSVxweBDXy84aQ0XXagi7byExcWu6r680BfYgzq/Se2+Q9yVrUghJ0BeLgYlLynpX/VnX88yyoFvk5LTcI0gcz22Slp/LOhtU1GXeG9COUgJ9H/CPc5T4R+EjOohRQ8W4Oq4gItVv8WLIeE08z0DCFdOMUVPnNzMTaVAPFpHUbaCGprLPTyeZqQ5MCiVorECZwm94kG8QHQJjiqCq3v3ZcaiahwPkG1mQFdBmw+ZfXmZJstSF4FYF9oXNppqHWZ5ZNVNRMFO6Asey8Jve9DA8SQizDjsAZX/3966HaNAB0sD2LXtnySpZhcm86RWLDKfmtLXYkwg1jQ/M2MM0sm8ouBIWDe0iLGuXZ2mSibjcPCAuU4D/iS+ys9DUnZ6m0GzQOjW+dWu9N+n/HyWjL42WF8m+sbK553hl19c+FSWoAhAyS9x/Q4ExXWmoxv9E41hNcmYXw6Dm5JHRml2YgggTciTJazsbVDsE0wvldK8/I025ncsTKyS6PWu/A/beZOS5G4PNKB6C681ZVA/csdf9ey7lrKPgMJHAAESdEFWnIKyLGyNot2tofVKJerW7Zu2KpVw2HKD46wIyTt2mo1ZL+GBAhmaq3g9QnmvnNYalCq7QKqwBxjIAQU310AZPVaKXloXemeTjbEikE6gv5N94aNXGDULqvSoz6ddxHP9K4X/1ScCfSAxf2Z4OidK7SIVGZYA2Yj6+md2EOZrLzHfTiM1miNcuj2Yr1ZFIZyAXWcPAYtEjhTy7BoeHrQMKTKKhqdM+Ro/GJxJFbO4JDXHKcf/WxbYY7naADojo8XWnwhsZxBIiwLkU2iQg9PbWyzHDMzJYgTt53DHS/sJWigyLUFEVG6ztRMMx7qXyAGI6DsSO9I2LMC0wbSzZvpoTJp8AUtjz1TgAggE/BoRNYYD2+Vy+AhJBqyxY3N8Y38ZTBmL5Dnt7kT4s2GZ5roKhBcyR5BJTNPu10PVDnkfMZMTXktlLhPpdL5mP2WRXtC7bV2kXPtB6HwDfuuHDfMKj/H7LvvKNl8N2OztBEAYuhjaFMiT/N3uY8m/UZHvmxfFX6rjZZG7z63VhaSkrzmB0vl82c9lkbnsfLkzYfyBcE6ksrcDl2PAYf+/TWw/FImVvZYjIukdrBRuydpbgQBEEFbpr+bHfuMV9RzqV7XK6RCAI+urA0dJ5+laBleXa+0F9KhlVU5Evhi+qqXo9uJTKHf/5z4zBwz0cAWjo4mDFcv08M4ION0OMwDSDw6+P2z0c5mTBgt67EIm6xhcwrtRZT9rleQlof9GUbyLKFGjhSu4AAFXhcpaZ7l3Q==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 Y3FLKnaDFOBZDMFemObuuvXclpWtyuvJ+EWp9YPk30hidoHVkY7UsibRGHkHt3Q+dF8srxY/YH4GNG2cSOmVUHtgjtmJ2SAZcO+H4FQ9b5dRxMDLL5X4LIjOzHak8K4rVXRt/iMt5sF6cax05jsBBVJ1ObvTbnLbbPsSK7P68z/h358CNUg7J27fnSFJw/M94Sbz7gzaVscOl1bfMytiSwYtEGqQQ5p2u7QuKrwO7x3Z059zPfWVMtHnw3UGsrqvL32M2JcMP6hpEQy0qQi5SLY5+qjoVy9BwHuPZzqnblA4QusJgWk1S/9hg4r/hve+bnQtgYIYiq/chs4Hid3OiniiuAz/0nFNs+vFWTxCDY1z2NWzwy77BbVXt+elokBdtAlCU9yWdq1i+9KQK5zpMm6cFGmyUth9ifgXEbZlnFp772QWb1gsQUd1cV7Zr/ZX//Y1w+wqaSnlrvmo5SgbPeVadFyWOyE+OpsdpTF8GuySAxflMavhP51VefukrbOXUMO6c6QCjCEPWrNWT9Bbuw+PuxzeQ7AwnhfAkBlHqvU2YjHdfmq7vWp7AUcovWdESOt1vhgoHkZf7j1seAwxD5ccvzUGWRxQ+HWSIgnkf4EtQON7sZswdI/wvnlbL2bsJ7jhzOcFOTMG1esjbK2KpHunv9JcUFEWJF3bJUdqWe/zcKA7MvaTPHA7pzNdgVdV8sphcbGKlzfjCjFk8VzGH7JNXjF43bGWV/v7yze4ocdTYUdLdQuy1MoVwnAkJoCdJXDJWrdnzzRAdhJJh06k/hqbkCogFFA+6bjq01FRfe1YTL0wlVExY9vuD+cspotRoh1tiVzfLpjDWlcHnhU9eVMGcghKBUSf9FjRQwDXwRdkEzgnGAkjCWYY4qKAINCCNkTAzoLh08u74XXWaKxYF+BnYMAcm07wJ34De+94CwL/i+8xxjP+ySxNoDNabPyxOtJmQcR34wNeKIrC7CsVTvz2ZseHq87ThH0IFfUaEks5tJKfYiuYZoyRy61rZzlP0eEi8IYuRIiMKUyN3VV3mr+XAKUA2JZBcqqiDcXqxNKQb/cN2jA334R5AubT/TfpaobXzSAqI8Ui1JGh7GISaR3CJVr06QSQNMjtD3vMr50x8kESgbvyoHYZI1thgTAfH/MV1unvgEJoudYbKGDn5H++JSQlgxLTeqRu87lxyRTj8Uak17Mj2+EItEmmP7H5LGeuyZbUK0F/VL8crDl9RVpu7KSlNHsrZBYhVemk7HMPLA9+di8lNT/OfzGlyFrPNPCSBUF55+8uOqwmOqF7Ea2UDhlR0QdgTWvv1IlrL5gx7pvu6CFqt1jvJyoMD0C1nbZmDvwbsFBEZ8Fu5R6hKkfawicEMlEdVmWMy6BFl73X1ZewF56yRf5ieONXNdkZX3TkgzRROj2XhReKzpt7VVc4ILWHHjPU4E2wI0QrIVo5tjy2Vcol1GE+HDWV4D8RNMe7ldygZ2duoAzPalrRUXc0hkrrHaiQAbVIwFBH1FJgIds2rpI0TkYEGj90lZypVPaMYUf4OR3yZYzO0HtDNaxl5H9RfuakxWcFd/1TZT+TmxHqefCeK3H0jsPp1Q8aDjqV51o1c/fK91hoD6Vq8A==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4c9982a7-45de-44d1-5725-08dd3535ac1d
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:39.5301
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 4qthHZbcrvXW1QEzLcK4TSQuydTOsx+u+Gk2Jc25klhQ5XfMp397ihQ0O+PepCuGgVd/cFvl3r8bOWYc3rN68K/DjWwayXyXeB5dta8As7g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Authority-Analysis: v=2.4 cv=DdLtqutW c=1 sm=1 tr=0 ts=678762bb cx=c_pps
 a=2bhcDDF4uZIgm5IDeBgkqw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=cm27Pg_UAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8
 a=KNglsM-s9cJUc-KJZc4A:9 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: Sw5UllNmTg-MB1ACdDgvmbVvNv1JWDnX
X-Proofpoint-ORIG-GUID: Sw5UllNmTg-MB1ACdDgvmbVvNv1JWDnX
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 adultscore=0
 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 priorityscore=1501
 phishscore=0 malwarescore=0 bulkscore=0 spamscore=0 clxscore=1015
 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx
 scancount=1 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114885

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-1454:
The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages,
occuring in the card enrolment process using pkcs15-init when a user or administrator
enrols or modifies cards. An attacker must have physical access to the computer system
and requires a crafted USB device or smart card to present the system with specially
crafted responses to the APDUs, which are considered high complexity and low severity.
This manipulation can allow for compromised card management operations during enrolment.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-1454]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-1454.patch          | 37 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-1454.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-1454.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-1454.patch
new file mode 100644
index 000000000..0ef26d447
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-1454.patch
@@ -0,0 +1,37 @@
+From 5835f0d4f6c033bd58806d33fa546908d39825c9 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 18 Dec 2023 11:09:50 +0100
+Subject: [PATCH] authentic: Avoid use after free
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898
+
+CVE: CVE-2024-1454
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9]
+
+The original patch is adjusted to fit for the current version.
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-authentic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-authentic.c b/src/pkcs15init/pkcs15-authentic.c
+index c6894dd37..adedd0a04 100644
+--- a/src/pkcs15init/pkcs15-authentic.c
++++ b/src/pkcs15init/pkcs15-authentic.c
+@@ -858,7 +858,10 @@ authentic_emu_update_tokeninfo(struct sc_profile *profile, struct sc_pkcs15_card
+         rv = sc_select_file(p15card->card, &path, &file);
+         if (!rv)   {
+ 		rv = sc_get_challenge(p15card->card, buffer, sizeof(buffer));
+-		LOG_TEST_RET(ctx, rv, "Get challenge error");
++		if (rv < 0) {
++			sc_file_free(file);
++			LOG_TEST_RET(ctx, rv, "Get challenge error");
++		}
+ 
+ 		len = file->size > sizeof(buffer) ? sizeof(buffer) : file->size;
+ 	        rv = sc_update_binary(p15card->card, 0, buffer, len, 0);
+--
+2.34.1
\ No newline at end of file
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 7915d8913..834b83d68 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -23,6 +23,7 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2023-40661-5.patch \
            file://CVE-2023-40661-6.patch \
            file://CVE-2023-40661-7.patch \
+           file://CVE-2024-1454.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:22 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55543
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 13576C02188
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:47 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web10.15805.1736925884598618262
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:44 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F5fnol004599
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:44 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443s1pkjj0-2
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=OtntbYQsKLQc1uJc7UHQjMK+LxkDj4y+wlZv4QeTXQP/T3QC01Se+oduuioAkQE5pqhmGxnkSqLGyXgYJ5DXDFCM2fbR2wdflVru8imnXL6vYLH8wo7Ly7R3t0EO/JwC1WffD23B6+0kfze5JvUkNQcopS3BPfwnEYOVD9W9dMkOX8kq7JGr1b2f7dJ+v5kLyhKANWlLj+9cBVHV/fCxoyCMMqneE/DI+fmG1NSlOXJwC5Lgpf8IFZH6DaQzlcFWzoe+Ud7PwI68X1OpNIIUSJD4MgeMoxlEYYQRELOCObb0tcRAQAmpY7ge8UF1JAPcuVg4DyDcMhg5JC96ysbMqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=oM8OHWu86jTeeQ4Dk0iRGMMNDeEaU2oeJiXFPJfRKKY=;
 b=LGR3Mth2obmUQ+5JPDf++ae+GYg49aufJ3NQAo4kk1ZUwBHbIDtQsA1V+A0Wtv54+379eIJ1EnFxGkQlxesUIIYM56mYucKN7nnWF+qsJdxmzZpk1qQ3u+wHAuMGJchnNBZWOMM7xffEidN64B34XffAb5ElLGcu+0ZK/o+pFIdwuwb0csNcRKat3x6C+slFcub7d4M42tifjurUGFbCtA9vj4lgFVDS57j8yaHIPJEgGnT9ynD3zunuoSWU6wPHH1KJjdvG888ZgMXfK2od/Jf4hABXRkADViFBvfn8gAaJZtMdidLk6GDjl4g5k+Y2PkQ5HmAmq8IUAxhc7/eqdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:41 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:41 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 2/8] opensc: fix CVE-2024-8443
Date: Wed, 15 Jan 2025 15:24:22 +0800
Message-Id: <20250115072428.3667416-2-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 81a88c42-9150-446a-b052-08dd3535acee
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: =?utf-8?q?sQk2EJeYUU61vX+EOMxuGSaybYMWKEK?=
	=?utf-8?q?gUJ73L2qSlOfsqodUoH1iZTZWAlCAZ+3v2tyrDbtTVZAu6ULBhI5IZ+xT/Gg2Mlbx?=
	=?utf-8?q?z4vFHzxanPHbz/O0h4gTcSGG0truquyYLju3203ARQXa3XZAzfdwSriiQvemo7Xuq?=
	=?utf-8?q?vpdcN8S/ZvqofK9ybuZsuyvE2lf6vKjEr2k/wleVpONobkV40gI0GAQUYla5+2YcE?=
	=?utf-8?q?LrTuQOqk9cXQNCaj8GCkbDZCvnJRFwm65mqXDvMyzvpED9cWUJiU7X4IAUHgNEzyQ?=
	=?utf-8?q?Tf9xArUc0Su/nbuMI6A6TODiYIt1Irg0wR2U7iqgsIQJbqcLvRjCVQoek3HQQWZof?=
	=?utf-8?q?2jjUoUvHH/Et+IKtk9o/i37PGyb2aFFrNHp+3+9IoXwtNmtuY0eB25kkLtbavaRvm?=
	=?utf-8?q?iUllyHJy7mWrPo9k32jB2RwaN0NIIYq5exclmgJzuSaj1YQRYKG9fCtRlDJZ8Lvw3?=
	=?utf-8?q?ijZdi/NJq0ogT+ASm+4lDbKqazKqJ7teKoS1BqYQbonrOqPC8clcEnVb2zGvAb0Kd?=
	=?utf-8?q?Jrj45uN7U7aJCXSQ1M3vMbROqEKKCYTC/6EnnrWoCGDYGozOop7e0PW9lOdT0dAKp?=
	=?utf-8?q?nMZ4nkLrpqboSEFwnLhS65F2Hlz1TqM50ID7t+rRnSmgtMnlxHghWLHR7YX5o5m7t?=
	=?utf-8?q?P+BZFEJGxJK/WvsaoNQi9cG2O9K0T8qUeo+erXlNHtZs4gd8uOjrzmhpVx5rXcyq8?=
	=?utf-8?q?0ClT4yXTcnZgBSDcS5+turZ9FQbQLFslsC5D9fwoAwjk7etrtcwKUuHNuAklbs1GO?=
	=?utf-8?q?MzysABkrYpcF/vrgk7ZVTr8jhoMtGTbt8SiGiLNX+hEXU9g1OxAhQ3DTGhVVIhjfg?=
	=?utf-8?q?zXqDRMixxx/nWBiuajoswmMtOmDI/kyf/Bf8e2JrPRpNerVXkZCG3zknZJaXg5hNN?=
	=?utf-8?q?YfJFfFda9ZsLDPo2pVexWOIs4JiyVfG8EpPiaS3xiTory0XnxIrLHkJstaVJYvAzU?=
	=?utf-8?q?It0Ny4fHxuoUwy6SruAw6pq/O/+v5enKWRylYo8XmlVmQy3Cn7fWqOslwN9jGzblm?=
	=?utf-8?q?zJ5733RdOUjmecxW1wMVMPYUxJQgjgUweRaSxDk9tQLS/RIMAuGkszJuAuQraX1ly?=
	=?utf-8?q?aBW3PBv8AgCTuj1iGopMIePMBCA9hUFY1O5XiWi2x3A2OvsCe+ApirbTEFwgfOpPD?=
	=?utf-8?q?WLyW5GkXIyYKHUyYbRNPWHIveETWBAbT4gGpCA5MLfrmmDIyadza30gKb57ZO9X5K?=
	=?utf-8?q?xZqpX2E+4otguNBrKDUrTmsQJKOh8vjnZAaKsAFJfCECCzFt4/PkQte096enK6vkB?=
	=?utf-8?q?cc56ey5ZDK39eor52bU8iwnUtjlUVCB4qY9pJRxTkk8kOLXRlqHzxpxVc4meJnxxX?=
	=?utf-8?q?ivLoZI2H8vSxyJxRyDu7pDwHhxsG5ATCLQ=3D=3D?=
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?3IlpMoCmfdVwXXL9o2ulR/G3j4eX?=
	=?utf-8?q?G/6LsHB5L/hKsD0Tp5APdR9SU8JfZj1/qLYgrVu1FAQRKQb1ebIj5lIBvz/ztGWox?=
	=?utf-8?q?G52SPESGs7aErike12BuskrH3DIiHDAnBGHCCwSJFf/fy/6tHlxLRgA1UfRIC/jkf?=
	=?utf-8?q?LW4CD50M/aFRYowsQCCS/GPLL/R7BqpXr1IEV+AmWIEuxTyvUmhVXRQcY+fwAr46X?=
	=?utf-8?q?rxx7GnKHUr5QU+cqLZx9tqDr8G/BH70jG+i5/Md69LQx001p4R99UYBqxTnIbNXvf?=
	=?utf-8?q?lXkkMAPL2qUjMw22mZMJYLKXELFPlVqQs8aoSBPEWClKO1GzPD2qL93+gq1oNkGK1?=
	=?utf-8?q?dcHMAMkgQ1UqQgrGieobAnX5JA45A9V3aRhueT9IYYQsLvZihYlGMQNXaYySPSwiT?=
	=?utf-8?q?VcsekSx2s4G4+dNjikf5vxis0/C/16qiovFYUYur1ikkv6H6MpiB+ylG5WwlqBxJQ?=
	=?utf-8?q?Mf2Xv5pK7dyJcQlhAD5Q9NChGlWEd/spVjv+JmodKclEFYk6kKqU9JGhtTksyJviJ?=
	=?utf-8?q?57B1RWVHOt9MMnoBeUo/9abb8KL7gcwWj7+TaSCrzjp48FSLItcNjmbsT9c+n31GM?=
	=?utf-8?q?lawPSrNmnukR+oa/B3su/HTrPPyig59Rhj6+Rujd3b1vE2u2As3Reb2OmelP8zQT/?=
	=?utf-8?q?aDSOVLLx/hp+OidkxIOU4UU9lFunJT1s779ZZsEPvb1StO0Sm1s70l/SsrBwx9XaT?=
	=?utf-8?q?AKvjCkg1/BqO6Kh9/OPsN79SYyo8nZIq88e2eSXT/Eg1jv2ft4Fdaig/kDDoOTywu?=
	=?utf-8?q?8c4b6Le49Gp1mNWD1U9BqSNaQxJzduK0cJa1D3bVCtlAneGYUEcZgWGnZb4Zniieg?=
	=?utf-8?q?dULc3iVSKdLyjRSwvi5vZdOz6jLMCkoWLW4wyTyTBYsIgOG0znXVWbNjtNEjOFoZX?=
	=?utf-8?q?6o0BzI5S0gwaRyzPcefnRcGYBTNFOzWrDMSzMN3udYBaUM2hmfsHVk6BwoxWAySET?=
	=?utf-8?q?3zs0l7dgQnEBwe4U/GMUalLKCFkb/xwHJP+p2bve3RIaherBZnbgNwO+ooaEALA6U?=
	=?utf-8?q?BOwtAYuVGMdmMlfopldfzksDXx4f3zk/4x00I0inEX/FVlMMdTk7I01bT8LgYssWm?=
	=?utf-8?q?Qj1Vn5YtqyQfMnROye4RLzDbzRXW9suhHftmrduG6C69qAylLI2ri+Jqzcd25TPkU?=
	=?utf-8?q?0BxhmXFFwiOCUzIlzO/Ft9YKb30DDbqPCw4iw1X7mrnjD9auCbzdTSyNzfGyiSYJL?=
	=?utf-8?q?Pn2nyNN3xPJ0BYjVoPzrVMZBLoNwGoJLRl3TMjeqxAEl0VdNoK1A7+LfRVA778EMc?=
	=?utf-8?q?uPihxwGsD4RZjSXUC8q+mKniUmQCqY7+ZvMkO9C7fzrNgRHd7MrsA2gklAuvjXYjX?=
	=?utf-8?q?D8D5z/QOPVCvaN1g+tZk8VciHeqf26Cw9BWvninh0hMiRdxcTIzkpzLDZRFYaBQNK?=
	=?utf-8?q?/hJXnU2PpED5GZe8s8sXOmWEe5w05cKZSStnuZSk0d53zveaFv0z8+o8yNeu2zwQ1?=
	=?utf-8?q?jTeYt7LObQhd+94S+SpzptTvPh1uVIu0lbEthVbOVsFq1q7lyH+rL0pOSCt2/xH10?=
	=?utf-8?q?7t9v4FsJoK/yVEXnIQ1N8hM5hFxLJvMgrQ=3D=3D?=
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 81a88c42-9150-446a-b052-08dd3535acee
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:40.8885
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 l7D6V0JPppK4SSlHtwZm18fakqU3FIsr1ZNLyjTpRS5bsseYHHTtEapw9bdloz6c0aeWlEZYojCQ62qoXW7+IVgBEUeL7yXuiFJ/gjFAMzU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Authority-Analysis: v=2.4 cv=DdLtqutW c=1 sm=1 tr=0 ts=678762bc cx=c_pps
 a=2bhcDDF4uZIgm5IDeBgkqw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10
 a=VdSt8ZQiCzkA:10 a=bRTqI5nwn0kA:10
 a=PYnjg3YJAAAA:8 a=NEAV23lmAAAA:8 a=cm27Pg_UAAAA:8 a=t7CeM3EgAAAA:8
 a=20KFwNOVAAAA:8 a=7p7RPr-GalsxoHJJx9wA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10
 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: m8ey9Zyh9nFzWaveGrrd5iTrpJioPpbX
X-Proofpoint-ORIG-GUID: m8ey9Zyh9nFzWaveGrrd5iTrpJioPpbX
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 adultscore=0
 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 priorityscore=1501
 phishscore=0 malwarescore=0 bulkscore=0 spamscore=0 clxscore=1015
 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx
 scancount=1 engine=8.21.0-2411120000 definitions=main-2501150054
X-MIME-Autoconverted: from 8bit to quoted-printable by
 mx0a-0064b401.pphosted.com id 50F5fnol004599
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114886

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-8443:
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable
to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all
versions up to, and including, 1.1.0 due to insufficient input sanitization and output
escaping. This makes it possible for authenticated attackers, with subscriber-level
access and above, to inject arbitrary web scripts in pages that will execute whenever
a user accesses an injected page. Please note that this was partially fixed in 1.1.0
due to the missing authorization protection that was added.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-8433]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
[https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-8443-0001.patch     | 60 +++++++++++++++++++
 .../opensc/files/CVE-2024-8443-0002.patch     | 55 +++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  2 +
 3 files changed, 117 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
new file mode 100644
index 000000000..7d80aba76
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0001.patch
@@ -0,0 +1,60 @@
+From b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 12 Aug 2024 19:02:14 +0200
+Subject: [PATCH] openpgp: Do not accept non-matching key responses
+
+When generating RSA key pair using PKCS#15 init, the driver could accept
+responses relevant to ECC keys, which made further processing in the
+pkcs15-init failing/accessing invalid parts of structures.
+
+Thanks oss-fuzz!
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2024-8443
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-openpgp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index fad32f0ce..f99ec0db9 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2877,6 +2877,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len,
+ 
+ 		/* RSA modulus */
+ 		if (tag == 0x0081) {
++			if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++			}
+ 			if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len)  /* modulus_len is in bits */
+ 				|| key_info->u.rsa.modulus == NULL) {
+ 
+@@ -2892,6 +2895,9 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len,
+ 		}
+ 		/* RSA public exponent */
+ 		else if (tag == 0x0082) {
++			if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) {
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++			}
+ 			if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len)  /* exponent_len is in bits */
+ 				|| key_info->u.rsa.exponent == NULL) {
+ 
+@@ -2907,6 +2913,10 @@ pgp_parse_and_set_pubkey_output(sc_card_t *card, u8* data, size_t data_len,
+ 		}
+ 		/* ECC public key */
+ 		else if (tag == 0x0086) {
++			if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA &&
++					key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) {
++				LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++			}
+ 			/* set the output data */
+ 			/* len is ecpoint length + format byte
+ 			 * see section 7.2.14 of 3.3.1 specs */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
new file mode 100644
index 000000000..30a7e63a7
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch
@@ -0,0 +1,55 @@
+From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 15 Aug 2024 11:13:47 +0200
+Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint
+
+Fix also surrounding code to return error (not just log it)
+when some step fails.
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2024-8443
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-openpgp.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
+index f99ec0db9..3957440de 100644
+--- a/src/libopensc/card-openpgp.c
++++ b/src/libopensc/card-openpgp.c
+@@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
+ 	/* update the blob containing fingerprints (00C5) */
+ 	sc_log(card->ctx, "Updating fingerprint blob 00C5.");
+ 	fpseq_blob = pgp_find_blob(card, 0x00C5);
+-	if (fpseq_blob == NULL)
+-		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
++	if (fpseq_blob == NULL) {
++		r = SC_ERROR_OUT_OF_MEMORY;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
++	}
++	if (20 * key_info->key_id > fpseq_blob->len) {
++		r = SC_ERROR_OBJECT_NOT_VALID;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");
++	}
+ 
+ 	/* save the fingerprints sequence */
+ 	newdata = malloc(fpseq_blob->len);
+-	if (newdata == NULL)
+-		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
+-			"Not enough memory to update fingerprint blob 00C5");
++	if (newdata == NULL) {
++		r = SC_ERROR_OUT_OF_MEMORY;
++		LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");
++	}
+ 
+ 	memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
+ 	/* move p to the portion holding the fingerprint of the current key */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 834b83d68..822e0ab97 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -24,6 +24,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2023-40661-6.patch \
            file://CVE-2023-40661-7.patch \
            file://CVE-2024-1454.patch \
+           file://CVE-2024-8443-0001.patch \
+           file://CVE-2024-8443-0002.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:23 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55545
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0B811C02183
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:47 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web11.15860.1736925885279071292
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:45 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F5fnom004599
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:45 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443s1pkjj0-3
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=lIDxaASKvPioALwztmh8P/wYmt18NvG/IKd+jJvdvwoNHS3YrfKugdfL5RqXb2nsmLS6I7R1M5aDD0TntJqbJ4zWxj0Kc1mMiXZepo3oCX8lAr3+In1a1rZOwEm91K6yai0quC4NVjTN8I1D3VZc2pb1hbjMk00d4H/4qkMqa69sJlvbMKsa+Y3gFh95zy6wU3z3e1LNsoa/aF6EpiFCoFYgEnX2c4E2zbLBCGNQ+UupsRQ/DaxQpLwheA5UdMGocILDf15ZQriH+MtAo9q5P2S2FbB02aiELYm0IONTNsM2eFO5fkou4CWHl4hCVRVaW/D7LvYKNNAfUkok6r3UZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=b3ReJpwNiwdpvzzFwTl9AgjEckmPe7+sFK/4itGYSAM=;
 b=YmLxyTd+0/NosXb4XIQe9ydb0rgV0EKeYe/dOpi9ZOjxjHA/WEyL9TQcmZV8KP2Odfvyw0aNilJA1Wkdw8O9gaVPeLLqKQjv4iZl66ZsT6eamf9L9GLhHAmaEcxcvCSR1roV4Qarhr/R16tboDaDg81Es78ohjO0V/AxlphCuaeowDRYr6Z9pMsWXlCu6MPod8WEdHOLPDRvDxOcGoqngx8r+gfNpd4BV4htGx5D2kRdZgJhACSThgtH4UewyxD+kiNCX6wIcL4XL465ivQVeKC8B589vVE2H0l/ji2JizqlTLgn2I7o86SDPo1g4iD0KP/dhiVe48vgAgr9yraIvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:42 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:42 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 3/8] opensc: fix CVE-2024-45615
Date: Wed, 15 Jan 2025 15:24:23 +0800
Message-Id: <20250115072428.3667416-3-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 331a3543-719e-417c-3a8d-08dd3535adba
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 /hnZmBEr79f06Q5lWdic0ULUSuHtT6kec0M7GqxfxfYlLvEsp8PBtqoiKr0TbTgZvGk72ZuBUao6tkiTgZSpZIjJnl8hHfmCi7NEPs0dGkBzRQRRimhpQvyyETmuvLlASsP/vUdP+5eJrFINRhyqOv+UjsH2Rx8FekaVjEsatnw0xYg8CuvhVBVBs6gFlzZM+0e3V1dQOdTJr5/XQS4HQBtuc32GeNF18ZBEkSbqLZRF928Yt3yGUWjhHMmoH2IYNvqTQKV3tBp7yrIkLF+OaNfs+Vbydbz4eAPdomZbAX9B+BpusuyfN4+h9eMukT3aChehHYp+Z5s7Ru8i4KpdwEKL/kcKHu4PbDHgc8HhuyScmMlFl/d5mnRwvq7xkuXoEziR1praY0ELyZgNntsH4U3CJ6vGX5EKy6HQI6yjxK8VjAZdfUNYmQufy8xuMpuYjKDEGpTLaEnXYz5Y1Uoi/jQdMCI432LAdRQ8Chi9OzocXofv5feeGEoJyryPEWZfP3G3I5Y7gXy3lmhEJSTGGjIDt/Lv2giboXjsSRbCMzTO6sB0Xk8peJ5cwbAMLwSYFjPYVVxV9JckuVWd2NPc8pJM7yM2yoHA0CfZDR17SSCCyroko5kze92rq+Ab+C59IrWmq2wESOljL8OUN2vUPnvjWOhtVnijBUZUqksGdt8RlN6xuUqcPMHbQy0OgOAv8EyRnsxd1r6rlx0HPH+7dtEWdiZLZE1/TI8p1ud0+UgfkTPhpBpX1pVmQovOm7edJFcqKwvMEqVD9N5dVpyoKPOY+PUlYAdr//cCFO0mhLdYYVbDyKpqVvjuHk1JafdnMNSSCRJvgfwdp99WRWLeTCRT+xdP61ycyzWvK/jzVYZZnDu8iOsXhvYriPysvUBaPdLS1pQ6zowatjqyU+3RKnUd1K4QDs6ZzE3bxgghK2rH9R+1j1tfJECmU2pKQv+5GYc/1tz3iwT8v0V4y00tE8P+bLLzc9VcAabePyno00oDrNewBXInmEmifdnkxpFsZ9+CiBFDuQoL0K4GZEN71e1+8rxBKQ/dj1EB5MYhmVm2E3aGGJn1YYHHNWfJJVk6pjo2aO2C43h3Nc1FT7QmHoNAbYNWSz8lhKhcTdZWM+hbFIcmxGfm1tvHeLp6L6GPoV1Nmzd0oXVMTAIsDVSylf5xaC/+8+wKMg9fB2ryuahaMuF7u2rtQD2yap+ep18ETxNdXvK59yQAt4TsUya/0D5Lriz12es6FLTHS8RTgIrjbJMYesgma8uKuHwhliVKhPIUnI/SASuH7fNOPuSDjwLL6ndNsbuTpEMehcqinyy3d7hhjwaJ5tIlo+yYd5VWxn4tAU1a7GrAweY2jqT5YwDvz3LEMw/I6mGrUtzu4HAw7F2N3It7qqsBRfODxR/dvQhE4oHNU3VfyyWMVW7VaQ==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 PupQ86JzewwoZeCTbZI2VgarSa9PKhP/V5uO6Nne2JPC3POewaTjyofeTgy63GnDBjQ0mzQ5HBcksgclUo2sTOeYKo66J3Jq8UTLIEZdc6d7uVayW0jvONI0jNsvAZm1W67L+aZWty0+TFhn6M0Qd8kDOGXtcH6ERZqqEkacj0Sxos3k4bMCG0dxj9gnmSXK+YlturVMl/wvmEwQPjYxRmQhvHQIiH9uEQKzKUbHsIx7x6UBo0BjAhUXlhsgVFbNUl19IiKuN+jxLLeJTkVfJ/bnYU4n/ruf3ahO0kj+Gl9LgNpxE//XvHYLDQUoY92LC59i48xkdWY6RNP3umC7RaqL9XAV/BGw+a/+SVetwyNdYtmsaBIPITyqanoCV5WnUDDPglwrCDeQ6QGKJQm67vKhdOW4q8z+YKLsh2ix3+MNDL7R92xuCBd1FESX6o+c8xiOgHX7+5de9pPHBFmGGVlhdIDTGPoJWSlnwxvaborn23tLxAsf5BJHPqjHkGKcs/puH/+hGI6wl44liI5C9gSgPE8dyGDTj7mnY/qgRxW/oyO6GLvjvdaVuhJCi1ZO+yMMlS+/aceOrySVxgAsT+G4a1gwE/4ch4ktPf4oVyviGBKKDWS3h7qck7lar5xy0xANCsVs1wtFBlEXnvpUIwFV1NUTXvU3CfszIJD59LXrx8dtmXOBtCCggNy6ZWlIXVUqghLmCWNJ2eqNLje4r18qUmQAA7+fWKm02I57gq5kXYZNGniYJa56XafM9HSlA5aVX1V7gwN6O7vFWXDlIH1Znd6ovuYcvZ1ePuDszYoaXwDh3haIO+tkwA7U0/EWuzB34c6mlmBq6EP78f5hC7mk66aFZxMJHYhau2FELSCx0aOniBTGUDC2c4YX0OOw+ovbYY+TMXpE/RFiF2FTmD8ynKqRoZ9LzsRCLtkl/Ym+UCJfUuI29nrQzFiDgo/P8YA4n8KWaOqk48wOiBay85NgiofyWB0wq0WIRsLkJVSk6BEi/d/LmttoEyDDEz3d4iJytKSy2Rwig05tvPRRK18yo8w8NzvuXqUjNr6hRKBYzgVl26O3DDz0Pn3msoTxUg28UoLL9icYLh/XXuPCmqp0X20qDXkvT0cQs6Kbw8Nj4HY2ltY17t//ZqPERapMeM7dcT44+XGtuqSixXN5q5dCnSc7KuQjXdnBbUKy1IlO7WpXYOQfsOmFsXhSDWAzCpaiBOGF5HS/BX5qjPjYiza91HnXKbmHMqz9y+eP2z2+FrV9Ea35zr3QyZ7tD8JCWpLqopgQ/KN55jFFm+uXTJ43GXb40oZ8oKRjzPiR8jmXTkhGgO4qFhWfJPgqEAbtPMn/C7Zw5r1cpXSgsgCb74fx50lu7i/hv2Nfwl484QyB/DvnAQCMisI/yuwZGCPFg7fnUd1+FJnJ+MQzk+95a/aJpv1M9bocue7lgXUzvDoSSD3QDMn+vpTIdiN7j5AmYp5Hvbhhp3Hko62ThNc/4FxVjsnnst1W5RegLlvQklOs2WOn0/IkzdGK3g3DAFHtW9V5bX/hN9TBRFQfjqALkVu43lP6KE6oLWP6LtnDPXjx+MIoSP03A5l4kSJteh6bVZeGZQgzv1S4Y4m/gPDAdw==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 331a3543-719e-417c-3a8d-08dd3535adba
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:42.4234
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 080enWK77cEuXvCxWL02f0Q5sXtqoV8zX599wH3AWwTzIBJxpJiq6oWTKdXphzvLPKd0MDuflrSQiFaSoAOGetk4AWEnL53VYYC00Ta/2Q8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Authority-Analysis: v=2.4 cv=DdLtqutW c=1 sm=1 tr=0 ts=678762bc cx=c_pps
 a=2bhcDDF4uZIgm5IDeBgkqw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=voaiVwKxfI1YsTQl_r8A:9
 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: Es2q7STI-mwsfhJd3o7vaGHw66W3CfeU
X-Proofpoint-ORIG-GUID: Es2q7STI-mwsfhJd3o7vaGHw66W3CfeU
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 adultscore=0
 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 priorityscore=1501
 phishscore=0 malwarescore=0 bulkscore=0 spamscore=0 clxscore=1015
 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx
 scancount=1 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114887

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-45615:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK.
The problem is missing initialization of variables expected to be initialized
(as arguments to other functions, etc.).

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45615]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/5e4f26b510b04624386c54816bf26aacea0fe4a1]
[https://github.com/OpenSC/OpenSC/commit/7d68a7f442e38e16625270a0fdc6942c9e9437e6]
[https://github.com/OpenSC/OpenSC/commit/bb3dedb71e59bd17f96fd4e807250a5cf2253cb7]
[https://github.com/OpenSC/OpenSC/commit/42d718dfccd2a10f6d26705b8c991815c855fa3b]
[https://github.com/OpenSC/OpenSC/commit/bde991b0fe4f0250243b0e4960978b1043c13b03]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-45615-0001.patch    | 67 +++++++++++++++++++
 .../opensc/files/CVE-2024-45615-0002.patch    | 36 ++++++++++
 .../opensc/files/CVE-2024-45615-0003.patch    | 35 ++++++++++
 .../opensc/files/CVE-2024-45615-0004.patch    | 36 ++++++++++
 .../opensc/files/CVE-2024-45615-0005.patch    | 34 ++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  5 ++
 6 files changed, 213 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
new file mode 100644
index 000000000..badb301b1
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
@@ -0,0 +1,67 @@
+From 5e4f26b510b04624386c54816bf26aacea0fe4a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 11 Jul 2024 14:58:25 +0200
+Subject: [PATCH] cac: Fix uninitialized values
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_card/1,fuzz_pkcs11/6
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/5e4f26b510b04624386c54816bf26aacea0fe4a1]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cac.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 1d1b616c8..4c3bc89bd 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -255,7 +255,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2,
+ 	size_t * recvbuflen)
+ {
+ 	int r;
+-	sc_apdu_t apdu;
++	sc_apdu_t apdu = {0};
+ 	u8 rbufinitbuf[CAC_MAX_SIZE];
+ 	u8 *rbuf;
+ 	size_t rbuflen;
+@@ -392,13 +392,13 @@ fail:
+ static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len)
+ {
+ 	u8 params[2];
+-	u8 count[2];
++	u8 count[2] = {0};
+ 	u8 *out = NULL;
+-	u8 *out_ptr;
++	u8 *out_ptr = NULL;
+ 	size_t offset = 0;
+ 	size_t size = 0;
+ 	size_t left = 0;
+-	size_t len;
++	size_t len = 0;
+ 	int r;
+ 
+ 	params[0] = file_type;
+@@ -461,7 +461,7 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
+ 	const u8 *tl_ptr, *val_ptr, *tl_start;
+ 	u8 *tlv_ptr;
+ 	const u8 *cert_ptr;
+-	size_t tl_len, val_len, tlv_len;
++	size_t tl_len = 0, val_len = 0, tlv_len;
+ 	size_t len, tl_head_len, cert_len;
+ 	u8 cert_type, tag;
+ 
+@@ -1528,7 +1528,7 @@ static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, const u8 *tl
+ static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth)
+ {
+ 	u8 *tl = NULL, *val = NULL;
+-	size_t tl_len, val_len;
++	size_t tl_len = 0, val_len = 0;
+ 	int r;
+ 
+ 	if (depth > CAC_MAX_CCC_DEPTH) {
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
new file mode 100644
index 000000000..7e02df383
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
@@ -0,0 +1,36 @@
+From 7d68a7f442e38e16625270a0fdc6942c9e9437e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 15:51:51 +0200
+Subject: [PATCH] card-piv: Initialize variables for tag and CLA
+
+In case they are not later initialize later by
+sc_asn1_read_tag() function.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/21
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/7d68a7f442e38e16625270a0fdc6942c9e9437e6]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-piv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index 6bf740221..0f07b2529 100644
+--- a/src/libopensc/card-piv.c
++++ b/src/libopensc/card-piv.c
+@@ -2241,7 +2241,7 @@ static int piv_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
+ 	const u8 *p;
+ 	size_t out_len = 0;
+ 	int r;
+-	unsigned int tag, cla;
++	unsigned int tag = 0, cla = 0;
+ 	piv_private_data_t * priv = PIV_DATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
new file mode 100644
index 000000000..3f57ca336
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
@@ -0,0 +1,35 @@
+From bb3dedb71e59bd17f96fd4e807250a5cf2253cb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 12 Jul 2024 14:35:47 +0200
+Subject: [PATCH] pkcs15-cert.c: Initialize OID length
+
+In case it is not set later.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/7
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/bb3dedb71e59bd17f96fd4e807250a5cf2253cb7]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-cert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-cert.c b/src/libopensc/pkcs15-cert.c
+index 1777a85835..5e2dbb89d0 100644
+--- a/src/libopensc/pkcs15-cert.c
++++ b/src/libopensc/pkcs15-cert.c
+@@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_context *ctx, const u8 *dn, size_t dn_len,
+ 	for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) {
+ 		const u8 *ava, *dummy, *oidp;
+ 		struct sc_object_id oid;
+-		size_t ava_len, dummy_len, oid_len;
++		size_t ava_len = 0, dummy_len, oid_len = 0;
+ 
+ 		/* unwrap the set and point to the next ava */
+ 		ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
new file mode 100644
index 000000000..a477bb07e
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
@@ -0,0 +1,36 @@
+From 42d718dfccd2a10f6d26705b8c991815c855fa3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 16:32:45 +0200
+Subject: [PATCH] pkcs15-sc-hsm: Initialize variables for tag and CLA
+
+In case they are not later initialize later by
+sc_asn1_read_tag() function.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_crypt/12
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/42d718dfccd2a10f6d26705b8c991815c855fa3b]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-sc-hsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c
+index 315cd74482..acdbee7054 100644
+--- a/src/libopensc/pkcs15-sc-hsm.c
++++ b/src/libopensc/pkcs15-sc-hsm.c
+@@ -277,7 +277,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pkcs15_card_t * p15card,
+ 	struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE];
+ 	struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE];
+ 	struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE];
+-	unsigned int cla,tag;
++	unsigned int cla = 0, tag = 0;
+ 	size_t taglen;
+ 	size_t lenchr = sizeof(cvc->chr);
+ 	size_t lencar = sizeof(cvc->car);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch
new file mode 100644
index 000000000..7826f7e71
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch
@@ -0,0 +1,34 @@
+From bde991b0fe4f0250243b0e4960978b1043c13b03 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 20 May 2024 21:31:38 +0200
+Subject: [PATCH] pkcs15init: Avoid using uninitialized memory
+
+Thanks Matteo Marini for report
+
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/bde991b0fe4f0250243b0e4960978b1043c13b03]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/profile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
+index 74fbdcec1..16c2ddfea 100644
+--- a/src/pkcs15init/profile.c
++++ b/src/pkcs15init/profile.c
+@@ -1807,7 +1807,7 @@ do_pin_storedlength(struct state *cur, int argc, char **argv)
+ static int
+ do_pin_flags(struct state *cur, int argc, char **argv)
+ {
+-	unsigned int	flags;
++	unsigned int	flags = 0;
+ 	int		i, r;
+ 
+ 	if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 822e0ab97..9446237a0 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -26,6 +26,11 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-1454.patch \
            file://CVE-2024-8443-0001.patch \
            file://CVE-2024-8443-0002.patch \
+           file://CVE-2024-45615-0001.patch \
+           file://CVE-2024-45615-0002.patch \
+           file://CVE-2024-45615-0003.patch \
+           file://CVE-2024-45615-0004.patch \
+           file://CVE-2024-45615-0005.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:24 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55544
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 04ADDC02187
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:47 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web11.15861.1736925886102494084
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:46 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F5fnon004599
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:45 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443s1pkjj0-4
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=lFYfktUVB2oT5kejuFAOmZuLLW7xz0hvnm8nDABLvleTjtrwplq3RJPAqgRvzJxzr0ehWKe+G4a9I0VYvluHvLOJStTum8MJGAxhW4/nSwvcRpcJ3YiqC8YmfHHvdxrqBliLPah0eLBMAwoOj35mCScb1AVHYCGlTBQdnN79bUe/G5aKrtpYOTqxlcHVwpUjy7dY030hJw0Yb23Yc9YaEkIS1gXXTFDy05C9fr+gw8icRvJTpbMlqGRYne+0c/Vb096u33ydVMTZ1fjKcjVJ7DSFcU9fGGJsxRoKanjnBrfk+pQNm3jwGkhSL+PcAxTX66iYUmBP9vCAacwxb0o28w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=H6WWbRp9CFG2M7Lk6DEEIfjYvrwQ+k15OkqaJZCYfCc=;
 b=d28Xgz4DkWtUcBBQuu8qArUGynrl//E2qD/LDS2uEhR2pWrnOiKFz2EvyJ/Uf3g/balZjc1lEOaEVsVyJ6l44VuNSU707TDNmj0ITt9ejgGr7B+++OpfYpBUF9Qb1FybOGNIxGHLP2rvAnE5wW1h+pxQQlRrxtfBmQuV/4UUWsT3toO92R0zR0Qr3OFr8oBVWhDDr5NNjVDtTMFF75y1T893U9pAIsPNO6EqI11V5nyonfa1AFcfSR6JTQSqmsdkXjuS9uDaxBUIsekQC/U3RqJVR+jiwNLsskcL1ksvzE5b6v4OQ1KeOtGbtJknnVR3FWeDecedEMlc7ZVbDeUklw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:44 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:44 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 4/8] opensc: fix CVE-2024-45616
Date: Wed, 15 Jan 2025 15:24:24 +0800
Message-Id: <20250115072428.3667416-4-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 658c65dd-5c27-41e9-02c8-08dd3535aea6
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 JG28pJ4rzhRUjF5ZtJVJITueyW5JGyh6RQO89vYnbTsFa0O4GK6T3I61xj6pGwwjANjSZCJbYJqRK0dN5KiCC5Cm1blbMiEKoXMvH9bK8M/A8lgfYOjXHuBJa+ZIcwYC8p7xnKvaJvTMnLKmqkSVydrvyrtL03sLOs78auURayViluu/Weu/ckUWt/XWKt8tJwUrTZJunC3TOoxtjLjyLICiJ6HRUr+GAB5SUZF5qD98EDuhAGfwuM46AQCC7AguYe3S+Gl1Al+ANT89b1HLPkyo+H1zvsiX0TQ1EjDw6qCQyXHNWK6FLH2A+yVYxclZkL4tNLqXmvrFoCtog/9nZpAkMX1qrNmEbPQiRUcR3zqBQGF+JN+iw9GHMzrsdHjYEW+SeDhPCjPibm7Wydnh08ydXKkLBWmTUoBt8vypho7W+KPg6lINFwX48pv6X/k5sKOJsTqmsWnGtKRCS6F82cCp+H1C9XqhoxGGRNJX2sBa8KmSjYohHH/rVQed3OvaA/VhOgfIEQ5nsMSP2Xc8hRe6FdWlA2aIi4mOCfs6yJFMEvT1k3seTQThe7nnilBQ2hz28sl0WdG8MrxGY+NKBkpxt724wAvjgFJqoNJN8j7O5MGWTJ/1AQpmtlNizJCbkXNmLCLkaa247QWTvAxI4U4iwdW98Qy0gcupsF5LMGuneVNtiaZUNBVtbCdbK+95/qcfc8/nfdaD5+Fdl5JWUy9N0R+hNN7NASOVqNWWvdxirXgEO7vqyGpu+BB7wbh2EeFV++CZWaLFIfMd2oSJkKEAi1yNDVgBTIUC9sG6JF6i75etGkLC/YndfKkcUeOd0z0IdH4KeSUtGsRM2CYi4RYL5Zvhd7O6qINTeXMCgchgpJtbZH6cs2qD4wOIXS1N2WS1hLi/f/JM2A5KtEUFXJsCwCRm7iGUAtAdrtzAok6yQNDv4ifoLxCNjzsFt0eANkIsOkk1XwznP+M9Lj9rn0lyntR3zFiqHRk4Dp5JhDEk79h+fGv97ChZoqEYc5fi/nAJpPyiX5A0s6b06rgBsW5DNjsPk0gQ47ntBEbffPHsyjDoj1Ql1FnBVWeykVKUnKWIqq0X47/nbLz+Z+iAl0sJVWryE9NFROVtUFbX4WxmsBBwbO3CUW7nI823Psf/XYUg+2dV/E3pwvIp5791+Gi0EGqBZroTBPvqeZv6SD1OGyd0ae78Zr/L9lD2PhVAhJT+z0Ax87Hup/fFwGKxqqQ+LBBvZQl7x0ldVwNzomrEukbPjdxTotgllgBZI2t+zf5L2HcUFXt43i5FL3fHgZkwcN4PA/TLds4JI8fgyRGRaHlrViljOm5HCzIK+xkVe2pwKCjRnV2IKpjv3JYMVQjZHdE6y02DN+ZOZPP33oyuxCi5ao0alOAA6kDar6W2Pw4C4hAOIrdnSR5AQ0vWYQ==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 oh8rAfwUBKuBeYfM2TE5EdM4fUF0HbkOoSdpKcVmoNNrXIh++TmZXAurLjUHh2EglWhTJK5ppbD8YwZJuoZOC+MdFcZOdd/Iw7JCtgJaYRUpwUU4H8Vb6r2cL1Alkbl7e600kSj+eNkEspJvLmVnZySBo7bX+YSnN4oQoNU36LtCvVg/Jm+zRNcS8xi2tyUsI7L6HPdGhA83cxO9B8FIYErNkTWihLCjCAy6RdYy4KLxmnqlBNJGw7uqfVhsNHvJ2BKM2kI4t1zkePWI4RMUpDRYCAWhEh/XWjMtcL2lopDZtQ8Qaeha9x0OZpTmwq+0eZXWbW/rE92Y+oUc5T7ClNPs1qTqkWYyUdRJBj6JCIWMkD7dx1vevXblnvw99adwnF8opTn6GpEY0bi0sQljhNsIu8NIAGPU5GVMZT7Zr3uALBF3miBVEhO6nJjfVHa37x3KdqSnbdJlmr6lhbgj/rMS2LkEZFNsp/uAQAz6sSSqfsJFClXPnh2ZurPAOWwjHRNE7+lCpJ+EzvvAetnku7sttgj4v7Zf1fk7IJcdXbHyb5xYPs/cdYtqkyMqFFxoq7qIoyFd6e60nLX+37VfZ/VMlb7QOmPcCdvQ7bEb8SNKA3gHHGkMIpti3qoNuCs/u7Ii0XzWTkoaWP2sbuhkFALokfFqQIHgHqGQRT53hwFUAmoPjHDXmDk4SEcV8mmZ/8F6jkLnrBjdpjSITWW4nZK+7/ed8CSfqMgRBRI7IIhJJJkWV8Glp0d+E89ax9PkQ5G51oQnL7r85WUhpN2OyC8GUqeQTyqPWZjGaD09VL9k7nBaSkEV/GnRFtqd0RNe9DHz0zp1eXA3lU/v6DcI94yBiLEmdBDFebfYMXKMeAlM1ZL26THk/L9kZikiBaIM1hxcNy08tabmV77dVZ5UwarxRsAyqUQsW0mpJPQptcFuHOX0Eyu1S2gWBlnQ7qxEJZsiLrhEMYPI1I4WOLB8j9qaP1y+Po94TDFUWidBQO4vdaHAoddSm7tvNn/TxuSaTWVSBhNhokMESb3/nFboYVhkXYAH8n3nT9u6ug9FqMFa1Ef1xhJm0q61O5JFZV0825MIC2s1D2L+bp+wqIclnVu97JwSWdzkFwAb2i1/A164ZyNL4++W7dpiBlVzX7Bmfd3/qVIdcu7/0yGJnWyO0OZTJknFjzK1tgeaaxGhhFKgQ8Fpftfsz9GS3dH72qXwQmYs/tczgDal7G5+PE0zNMmeHk17pVs4M+TGEq5fJ5EHhos4EH/xih63cZvJ2PmoZkg0U3QjrtmRnNN3u7n81xJcwS895YGpMOkN1cu2dAIVQnkFJbD1l7YHL5DldYjMv/rs5ANqkG9GTS33MNTJIng4NsUiRQAR79I6mxZeS8nrbpEiYRR8oXyAJVhxPnuR9UcLUopYKazgFhyS/68w2d4wjOTBQpTgdGJchEq0/1n+lM/XZgesnFfFpdCE1MHy9bRCA7Xw1s0Ky/HeRnyuJ4BMRQJVeDOiMqyB81B9cX4Btpicrm36Mgu/gbUnMWQnjZjWL9QSOVKnagVkPgfPLqjwATE8iVVa3rzb97BY5uJnBGlVBeXkK0xE8K213+rOPU/i/pbBihpyVdYEEs/g3w==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 658c65dd-5c27-41e9-02c8-08dd3535aea6
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:43.9798
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 GT1NcmO9qPKdn9JTlCnypERjJi8f51J7wgDAS5irABHl9sZfrLhgH6CsfO24cajsCD+3VxH1Royj/C1OiHbAW4zs7HojjKYA1Cp7dF9usNI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Authority-Analysis: v=2.4 cv=DdLtqutW c=1 sm=1 tr=0 ts=678762bd cx=c_pps
 a=2bhcDDF4uZIgm5IDeBgkqw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=tjrgz2z0AAAA:8
 a=qwl3IdLvgAeI-KJpDYgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=5HwOr4AGAc3wyUkv9GHE:22
X-Proofpoint-GUID: kCSCkCVeG1skyaTzf3LebhrDrhWqQDuZ
X-Proofpoint-ORIG-GUID: kCSCkCVeG1skyaTzf3LebhrDrhWqQDuZ
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 adultscore=0
 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 priorityscore=1501
 phishscore=0 malwarescore=0 bulkscore=0 spamscore=0 clxscore=1015
 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx
 scancount=1 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:47 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114888

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-45616:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK.
An attacker could use a crafted USB Device or Smart Card, which would present the system
with a specially crafted response to APDUs. The following problems were caused by
insufficient control of the response APDU buffer and its length when communicating
with the card.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45616]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1]
[https://github.com/OpenSC/OpenSC/commit/265b28344d036a462f38002d957a0636fda57614]
[https://github.com/OpenSC/OpenSC/commit/e7177c7ca00200afea820d155dca67f38b232967]
[https://github.com/OpenSC/OpenSC/commit/ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60]
[https://github.com/OpenSC/OpenSC/commit/76115e34799906a64202df952a8a9915d30bc89d]
[https://github.com/OpenSC/OpenSC/commit/16ada9dc7cddf1cb99516aea67b6752c251c94a2]
[https://github.com/OpenSC/OpenSC/commit/3562969c90a71b0bcce979f0e6d627546073a7fc]
[https://github.com/OpenSC/OpenSC/commit/cccdfc46b10184d1eea62d07fe2b06240b7fafbc]
[https://github.com/OpenSC/OpenSC/commit/5fa758767e517779fc5398b6b4faedc4e36d3de5]
[https://github.com/OpenSC/OpenSC/commit/aa102cd9abe1b0eaf537d9dd926844a46060d8bc]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-45616-0001.patch    | 52 +++++++++++++
 .../opensc/files/CVE-2024-45616-0002.patch    | 48 ++++++++++++
 .../opensc/files/CVE-2024-45616-0003.patch    | 42 +++++++++++
 .../opensc/files/CVE-2024-45616-0004.patch    | 43 +++++++++++
 .../opensc/files/CVE-2024-45616-0005.patch    | 34 +++++++++
 .../opensc/files/CVE-2024-45616-0006.patch    | 50 +++++++++++++
 .../opensc/files/CVE-2024-45616-0007.patch    | 56 ++++++++++++++
 .../opensc/files/CVE-2024-45616-0008.patch    | 74 +++++++++++++++++++
 .../opensc/files/CVE-2024-45616-0009.patch    | 68 +++++++++++++++++
 .../opensc/files/CVE-2024-45616-0010.patch    | 33 +++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   | 10 +++
 11 files changed, 510 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0002.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0003.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0004.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0005.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0006.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0007.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0008.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0009.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45616-0010.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0001.patch
new file mode 100644
index 000000000..f4bebf039
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0001.patch
@@ -0,0 +1,52 @@
+From 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 11 Jul 2024 15:27:19 +0200
+Subject: [PATCH] cardos: Fix uninitialized values
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_card/2
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cardos.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 2e2d524333..a0e2322478 100644
+--- a/src/libopensc/card-cardos.c
++++ b/src/libopensc/card-cardos.c
+@@ -94,14 +94,14 @@ static void fixup_transceive_length(const struct sc_card *card,
+ 
+ static int cardos_match_card(sc_card_t *card)
+ {
+-	unsigned char atr[SC_MAX_ATR_SIZE];
++	unsigned char atr[SC_MAX_ATR_SIZE] = { 0 };
+ 	int i;
+ 
+ 	i = _sc_match_atr(card, cardos_atrs, &card->type);
+ 	if (i < 0)
+ 		return 0;
+ 
+-	memcpy(atr, card->atr.value, sizeof(atr));
++	memcpy(atr, card->atr.value, card->atr.len);
+ 
+ 	/* Do not change card type for CIE! */
+ 	if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)
+@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t *card)
+ 		return 1;
+ 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
+ 		int rv;
+-		sc_apdu_t apdu;
+-		u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
++		sc_apdu_t apdu = { 0 };
++		u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
+ 		/* first check some additional ATR bytes */
+ 		if ((atr[4] != 0xff && atr[4] != 0x02) ||
+ 		    (atr[6] != 0x10 && atr[6] != 0x0a) ||
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0002.patch
new file mode 100644
index 000000000..012a9ecdb
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0002.patch
@@ -0,0 +1,48 @@
+From 265b28344d036a462f38002d957a0636fda57614 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 1 Aug 2024 10:32:40 +0200
+Subject: [PATCH] card-cardos: Check length of APDU response
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/265b28344d036a462f38002d957a0636fda57614]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cardos.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 124752d78b..595ec099e3 100644
+--- a/src/libopensc/card-cardos.c
++++ b/src/libopensc/card-cardos.c
+@@ -94,7 +94,7 @@ static void fixup_transceive_length(const struct sc_card *card,
+ 
+ static int cardos_match_card(sc_card_t *card)
+ {
+-	unsigned char atr[SC_MAX_ATR_SIZE] = { 0 };
++	unsigned char atr[SC_MAX_ATR_SIZE] = {0};
+ 	int i;
+ 
+ 	i = _sc_match_atr(card, cardos_atrs, &card->type);
+@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t *card)
+ 		return 1;
+ 	if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
+ 		int rv;
+-		sc_apdu_t apdu = { 0 };
+-		u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
++		sc_apdu_t apdu = {0};
++		u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0};
+ 		/* first check some additional ATR bytes */
+ 		if ((atr[4] != 0xff && atr[4] != 0x02) ||
+ 		    (atr[6] != 0x10 && atr[6] != 0x0a) ||
+@@ -131,7 +131,7 @@ static int cardos_match_card(sc_card_t *card)
+ 		apdu.lc = 0;
+ 		rv = sc_transmit_apdu(card, &apdu);
+ 		LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+-		if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
++		if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2)
+ 			return 0;
+ 		if (apdu.resp[0] != atr[10] ||
+ 		    apdu.resp[1] != atr[11])
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0003.patch
new file mode 100644
index 000000000..4c0d1ec30
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0003.patch
@@ -0,0 +1,42 @@
+From e7177c7ca00200afea820d155dca67f38b232967 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 20 May 2024 22:14:48 +0200
+Subject: [PATCH] cac: Correctly calculate certificate length based on the
+ resplen
+
+Thanks Matteo Marini for report
+
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/e7177c7ca00200afea820d155dca67f38b232967]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cac1.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-cac1.c b/src/libopensc/card-cac1.c
+index 50c0928f5..bbdbc0a8d 100644
+--- a/src/libopensc/card-cac1.c
++++ b/src/libopensc/card-cac1.c
+@@ -95,12 +95,12 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
+ 		if (apdu.sw1 != 0x63 || apdu.sw2 < 1)  {
+ 			/* we've either finished reading, or hit an error, break */
+ 			r = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-			left -= len;
++			left -= apdu.resplen;
+ 			break;
+ 		}
+ 		/* Adjust the lengths */
+-		left -= len;
+-		out_ptr += len;
++		left -= apdu.resplen;
++		out_ptr += apdu.resplen;
+ 		len = MIN(left, apdu.sw2);
+ 	}
+ 	if (r < 0) {
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0004.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0004.patch
new file mode 100644
index 000000000..603556388
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0004.patch
@@ -0,0 +1,43 @@
+From ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 15:39:15 +0200
+Subject: [PATCH] card-oberthur: Check length of serial number
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/1, fuzz_pkcs15init/2
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-oberthur.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
+index 1fc40f7b3..bd45b6ff5 100644
+--- a/src/libopensc/card-oberthur.c
++++ b/src/libopensc/card-oberthur.c
+@@ -148,7 +148,7 @@ auth_select_aid(struct sc_card *card)
+ {
+ 	struct sc_apdu apdu;
+ 	unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
+-	struct auth_private_data *data =  (struct auth_private_data *) card->drv_data;
++	struct auth_private_data *data = (struct auth_private_data *)card->drv_data;
+ 	int rv, ii;
+ 	struct sc_path tmp_path;
+ 
+@@ -165,6 +165,9 @@ auth_select_aid(struct sc_card *card)
+ 
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
++	if (apdu.resplen < 20) {
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length");
++	}
+ 	card->serialnr.len = 4;
+ 	memcpy(card->serialnr.value, apdu.resp+15, 4);
+ 
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0005.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0005.patch
new file mode 100644
index 000000000..34e2a83d8
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0005.patch
@@ -0,0 +1,34 @@
+From 76115e34799906a64202df952a8a9915d30bc89d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 20 May 2024 21:19:15 +0200
+Subject: [PATCH] gids: Avoid using uninitialized memory
+
+Thanks Matteo Marini for report
+
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/76115e34799906a64202df952a8a9915d30bc89d]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-gids.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c
+index f25e37de4..10960875d 100644
+--- a/src/libopensc/card-gids.c
++++ b/src/libopensc/card-gids.c
+@@ -251,7 +251,7 @@ static int gids_get_DO(sc_card_t* card, int fileIdentifier, int dataObjectIdenti
+ 	LOG_TEST_RET(card->ctx, r, "gids get data failed");
+ 	LOG_TEST_RET(card->ctx,  sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return");
+ 
+-	p = sc_asn1_find_tag(card->ctx, buffer, sizeof(buffer), dataObjectIdentifier, &datasize);
++	p = sc_asn1_find_tag(card->ctx, buffer, apdu.resplen, dataObjectIdentifier, &datasize);
+ 	if (!p) {
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
+ 	}
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0006.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0006.patch
new file mode 100644
index 000000000..58b65b291
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0006.patch
@@ -0,0 +1,50 @@
+From 16ada9dc7cddf1cb99516aea67b6752c251c94a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 12 Jul 2024 15:04:19 +0200
+Subject: [PATCH] card-gids: Use actual length of reponse buffer
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/11
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/16ada9dc7cddf1cb99516aea67b6752c251c94a2]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-gids.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c
+index f25e37de4..91e1e0569 100644
+--- a/src/libopensc/card-gids.c
++++ b/src/libopensc/card-gids.c
+@@ -231,6 +231,7 @@ static int gids_get_DO(sc_card_t* card, int fileIdentifier, int dataObjectIdenti
+ 	size_t datasize = 0;
+ 	const u8* p;
+ 	u8 buffer[MAX_GIDS_FILE_SIZE];
++	size_t buffer_len = sizeof(buffer);
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+ 	sc_log(card->ctx, 
+@@ -244,14 +245,15 @@ static int gids_get_DO(sc_card_t* card, int fileIdentifier, int dataObjectIdenti
+ 	apdu.data = data;
+ 	apdu.datalen = 04;
+ 	apdu.resp = buffer;
+-	apdu.resplen = sizeof(buffer);
++	apdu.resplen = buffer_len;
+ 	apdu.le = 256;
+ 
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "gids get data failed");
+ 	LOG_TEST_RET(card->ctx,  sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return");
++	buffer_len = apdu.resplen;
+ 
+-	p = sc_asn1_find_tag(card->ctx, buffer, apdu.resplen, dataObjectIdentifier, &datasize);
++	p = sc_asn1_find_tag(card->ctx, buffer, buffer_len, dataObjectIdentifier, &datasize);
+ 	if (!p) {
+ 		LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
+ 	}
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0007.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0007.patch
new file mode 100644
index 000000000..d664e2133
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0007.patch
@@ -0,0 +1,56 @@
+From 3562969c90a71b0bcce979f0e6d627546073a7fc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 12 Jul 2024 14:16:24 +0200
+Subject: [PATCH] card-mcrd: Check length of response buffer in select
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/5,12 fuzz_pkcs15_crypt/9
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/3562969c90a71b0bcce979f0e6d627546073a7fc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-mcrd.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/card-mcrd.c b/src/libopensc/card-mcrd.c
+index fb5d02f89..30812e8a6 100644
+--- a/src/libopensc/card-mcrd.c
++++ b/src/libopensc/card-mcrd.c
+@@ -634,11 +634,13 @@ do_select(sc_card_t * card, u8 kind,
+ 		}
+ 	}
+ 
+-	if (p2 == 0x04 && apdu.resp[0] == 0x62) {
++	if (p2 == 0x04 && apdu.resplen > 2 && apdu.resp[0] == 0x62) {
+ 		*file = sc_file_new();
+ 		if (!*file)
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+ 		/* EstEID v3.0 cards are buggy and sometimes return a double 0x62 tag */
++		if (apdu.resp[1] > apdu.resplen - 2)
++			LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
+ 		if (card->type == SC_CARD_TYPE_MCRD_ESTEID_V30 && apdu.resp[2] == 0x62)
+ 			process_fcp(card, *file, apdu.resp + 4, apdu.resp[3]);
+ 		else
+@@ -646,12 +648,13 @@ do_select(sc_card_t * card, u8 kind,
+ 		return SC_SUCCESS;
+ 	}
+ 
+-	if (p2 != 0x0C && apdu.resp[0] == 0x6F) {
++	if (p2 != 0x0C && apdu.resplen > 2 && apdu.resp[0] == 0x6F) {
+ 		*file = sc_file_new();
+ 		if (!*file)
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+-		if (apdu.resp[1] <= apdu.resplen)
+-			process_fcp(card, *file, apdu.resp + 2, apdu.resp[1]);
++		if (apdu.resp[1] > apdu.resplen - 2)
++			LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
++		process_fcp(card, *file, apdu.resp + 2, apdu.resp[1]);
+ 		return SC_SUCCESS;
+ 	}
+ 	return SC_SUCCESS;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0008.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0008.patch
new file mode 100644
index 000000000..bdd56fb47
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0008.patch
@@ -0,0 +1,74 @@
+From cccdfc46b10184d1eea62d07fe2b06240b7fafbc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 12 Jul 2024 13:16:56 +0200
+Subject: [PATCH] card-dnie: Check APDU response length and ASN1 lengths
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_decode/10, fuzz_pkcs15_encode/12
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/cccdfc46b10184d1eea62d07fe2b06240b7fafbc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/asn1.c      | 4 +++-
+ src/libopensc/card-dnie.c | 8 ++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
+index 08ef56149c..548263a2da 100644
+--- a/src/libopensc/asn1.c
++++ b/src/libopensc/asn1.c
+@@ -68,7 +68,7 @@ int sc_asn1_read_tag(const u8 ** buf, size_t buflen, unsigned int *cla_out,
+ 
+ 	*buf = NULL;
+ 
+-	if (left == 0 || !p)
++	if (left == 0 || !p || buflen == 0)
+ 		return SC_ERROR_INVALID_ASN1_OBJECT;
+ 	if (*p == 0xff || *p == 0) {
+ 		/* end of data reached */
+@@ -83,6 +83,8 @@ int sc_asn1_read_tag(const u8 ** buf, size_t buflen, unsigned int *cla_out,
+ 	 */
+ 	cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED);
+ 	tag = *p & SC_ASN1_TAG_PRIMITIVE;
++	if (left < 1)
++		return SC_ERROR_INVALID_ASN1_OBJECT;
+ 	p++;
+ 	left--;
+ 	if (tag == SC_ASN1_TAG_PRIMITIVE) {
+diff --git a/src/libopensc/card-dnie.c b/src/libopensc/card-dnie.c
+index 2c36ddf5c..25c15b2b7 100644
+--- a/src/libopensc/card-dnie.c
++++ b/src/libopensc/card-dnie.c
+@@ -1185,12 +1185,16 @@ static int dnie_compose_and_send_apdu(sc_card_t *card, const u8 *path, size_t pa
+ 
+ 	if (file_out) {
+ 		/* finally process FCI response */
++		size_t len = apdu.resp[1];
+ 		sc_file_free(*file_out);
+ 		*file_out = sc_file_new();
+ 		if (*file_out == NULL) {
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
+ 		}
+-		res = card->ops->process_fci(card, *file_out, apdu.resp + 2, apdu.resp[1]);
++		if (apdu.resplen - 2 < len || len < 1) {
++			LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
++		}
++		res = card->ops->process_fci(card, *file_out, apdu.resp + 2, len);
+ 	}
+ 	LOG_FUNC_RETURN(ctx, res);
+ }
+@@ -1948,7 +1952,7 @@ static int dnie_process_fci(struct sc_card *card,
+ 	int *op = df_acl;
+ 	int n = 0;
+ 	sc_context_t *ctx = NULL;
+-	if ((card == NULL) || (card->ctx == NULL) || (file == NULL))
++	if ((card == NULL) || (card->ctx == NULL) || (file == NULL) || buflen == 0)
+ 		return SC_ERROR_INVALID_ARGUMENTS;
+ 	ctx = card->ctx;
+ 	LOG_FUNC_CALLED(ctx);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0009.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0009.patch
new file mode 100644
index 000000000..f4c3e231e
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0009.patch
@@ -0,0 +1,68 @@
+From 5fa758767e517779fc5398b6b4faedc4e36d3de5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 12 Jul 2024 14:03:59 +0200
+Subject: [PATCH] muscle: Report invalid SW when reading object
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/20, fuzz_pkcs15init/10
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/5fa758767e517779fc5398b6b4faedc4e36d3de5]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/muscle.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c
+index a749657df..b30173ec6 100644
+--- a/src/libopensc/muscle.c
++++ b/src/libopensc/muscle.c
+@@ -92,33 +92,34 @@ int msc_partial_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *da
+ 	apdu.resp = data; 
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+-	if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
++	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00 && dataLength <= apdu.resplen)
+ 		return dataLength;
+-	if(apdu.sw1 == 0x9C) {
+-		if(apdu.sw2 == 0x07) {
++	if (apdu.sw1 == 0x9C) {
++		if (apdu.sw2 == 0x07) {
+ 			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_FILE_NOT_FOUND);
+-		} else if(apdu.sw2 == 0x06) {
++		} else if (apdu.sw2 == 0x06) {
+ 			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NOT_ALLOWED);
+-		} else if(apdu.sw2 == 0x0F) {
++		} else if (apdu.sw2 == 0x0F) {
+ 			/* GUESSED */
+ 			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);
+ 		}
+ 	}
+ 	sc_log(card->ctx, 
+ 		"got strange SWs: 0x%02X 0x%02X\n", apdu.sw1, apdu.sw2);
+-	return dataLength;
+-	
++	SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);
+ }
+ 
+ int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength)
+ {
+-	int r;
++	int r = 0;
+ 	size_t i;
+ 	size_t max_read_unit = MSC_MAX_READ;
+ 
+-	for(i = 0; i < dataLength; i += max_read_unit) {
++	for(i = 0; i < dataLength; i += r) {
+ 		r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit));
+ 		LOG_TEST_RET(card->ctx, r, "Error in partial object read");
++		if (r == 0)
++			break;
+ 	}
+ 	return dataLength;
+ }
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0010.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0010.patch
new file mode 100644
index 000000000..4a7752b28
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45616-0010.patch
@@ -0,0 +1,33 @@
+From aa102cd9abe1b0eaf537d9dd926844a46060d8bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 23 Jul 2024 10:48:32 +0200
+Subject: [PATCH] card-entersafe: Check length of serial number
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_reader/5
+
+CVE: CVE-2024-45616
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/aa102cd9abe1b0eaf537d9dd926844a46060d8bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-entersafe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c
+index 6372913d0..305323fd5 100644
+--- a/src/libopensc/card-entersafe.c
++++ b/src/libopensc/card-entersafe.c
+@@ -1468,6 +1468,8 @@ static int entersafe_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)
+ 	r=entersafe_transmit_apdu(card, &apdu,0,0,0,0);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+ 	LOG_TEST_RET(card->ctx, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed");
++	if (apdu.resplen != 8)
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN");
+ 
+ 	card->serialnr.len=serial->len=8;
+ 	memcpy(card->serialnr.value,rbuf,8);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 9446237a0..ec0149670 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -31,6 +31,16 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45615-0003.patch \
            file://CVE-2024-45615-0004.patch \
            file://CVE-2024-45615-0005.patch \
+           file://CVE-2024-45616-0001.patch \
+           file://CVE-2024-45616-0002.patch \
+           file://CVE-2024-45616-0003.patch \
+           file://CVE-2024-45616-0004.patch \
+           file://CVE-2024-45616-0005.patch \
+           file://CVE-2024-45616-0006.patch \
+           file://CVE-2024-45616-0007.patch \
+           file://CVE-2024-45616-0008.patch \
+           file://CVE-2024-45616-0009.patch \
+           file://CVE-2024-45616-0010.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:25 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55549
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 076BEC02187
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:57 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web10.15806.1736925888625153433
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:48 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F618DC031512
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:48 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443mt73qec-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=Ifh4bpUBWTDclOxmKnZy9Xp/q0Cd2OAm6xkNFsgu3msXWX8n1YJRRMS1n7EenOco3Ysv1aR44+kztuolTzfpJ7L2q8E6MB5xemxPX0adB7YlLYZlhCdXD2+n3lSo8+G/oJM7YDq9yv72tf0Qn0sH6ngPhbbBlNCDR7g8KNpvNAtHDgdhitGae5zDcpq1Dp2kjEygYFfsK9MS0DvCbl3LqDUnnUg300OjXWusHhmsJ6Jzy/LGcBau9Zs2G/CaZvrl0yZzl7Oyl4Www83xx/YZWoDoonyOVIzFGVoUlOXzwxLCdC7Zu676oeimQ4W1nhLf8rFZK3YL5tFdCbI1sb6s6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=XbJeqo6HJ0/jhoPULb088syHhpAm2nNw6yryAm0hhSs=;
 b=Q98CZoeQ5c2K2A+NRzQ4aAuAOnDXskbmJdjgjE7YR0weoVhifJ//Hjz2iC1iOs4tx9LpNUSkoPHA3XxUwciOsADhpGmLZr8oezeCzeZ3rw0VBHczzcwIEfHzXdev/m1HxTc6OYnJCqdHfEkh1sNYWFJbmtTJFvPU7y9LggbQeelXCLjQUhEW3B5CXg0hmp2B2Awp3xZa0KcK39WMd6RM9TQotwga0HI5nuBTQd6IJqliGNqE8zeap3qwL/ey8/nqrPHa3D6HKP6WckmvnZi9p6Nl8JZHTHcFZY2itH7tvG+7iwQzqe0oyG2LxJJkGA1hqHm1/yvGD29zahwqtBV+tA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:45 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:45 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 5/8] opensc: fix CVE-2024-45617
Date: Wed, 15 Jan 2025 15:24:25 +0800
Message-Id: <20250115072428.3667416-5-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 9b14f050-361a-4c82-daf6-08dd3535af93
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 rKihn1J2RdgDEk/nawE0ZCFpbujNgXN/f8TyYt7M+PhmPlEvxv6HoiIG5W6iBn60BcYyGliF4soY0Lb6CAWZKfR8h8rjYLJnBstaurCUc6bTqi1o1XCfLOpSQL+RioqbVjF1KwwFCRQfX36tKNNjTCh4CENQnV0FMMhnN3VPIDr80ae4yk8B351ii+YkiLvDfRi2rD9uqHJcsopuLKaznPTVjCFgvAhlkt+xMWxQBhM5hjwbOY7OrsOCkFv7smRwgt+aioQmAgqo712eY/vYnDhhjgsQHhZo9ZrvuBHTylRDb0mexETt+0J5WkubLIy8/HXrXN8Kf7Gir//D+z3QGStBmn1G/6N8uuuktHO5MLHqwkTWqDOyR+WtKsstHyC472EtOHaskWagZf5pmYBHhKLYl4GIU0u4XZUivHuyge/DNkENAKg4pidHFn2GXnD2C1wvR/e00v8PwN4uulIW0ooTSH7Nrk+QNT7+Q+/39xj1+CMmXGohnxOwaC+W90EUZlSvm/LEv9fLxsats5BOEEU7FVZb9FtWBycY9R8K7TOAiZb0e2lzhImXF6jRU7xBIhk3DZjTZatKgWHicYuAA9THBC5q9GSsHQrePiXouVNRDWTDHxElSzXpKMZUlQ6pDBZNXqyFFC8hwYTH3n9SrnQ8L7R0hJMfqA4u8eYLjS0/HdUu4tazqb2BDm8k/aZDkoS7AT/In+0O2cihLulWzbP1x38sb50yro3ltocsoHexvtqsk4/TPjgSU3H1rYvUkjwjDlM0XEbaPwjN6AQ79LAi4Cz2TlkiDqdmjj8aCvPmQtx5DCy/C25/t3j+ycecwnDYQxeOJt75SZp+cg7eeD/PuhmusW0ScYx8egFqi+qLhBty6Mf7X9ygMzHaBktpN3qnU6sZkoxPRqVnRolgi+TwHivHwOcuQqnPiD3ZCca+JV9P7/qtbvRFskr4p5gC18Dl5OrZsMEsK6+QJ3TObPVTfyEWwzUuvhFpm9vlS0IR4EcUwXpybpSxhhoSHv+Lfnye3coNvt3Y8/Cgg2eecH4DUGTNvTamfIHkxUAcdCm3IcuienqiawLwuLHOPVEbx/XZtWO9k8cXXpfj7TCAFqb5ayZ5dUGEudR8nzM2L9MUQGyZTqGzzgQgRTBcfLJ6so16HuyCi38S6jq0JF/FpyjjE1NXIRCMly04GoRacZQZs+lcYPXyw2W+I0LzSFt7kIEVL2DxwAtgxppM39Rb0P5TO7ACFMNg9HdlDOij853qqf2u7nP/wzeCs6BqyL0YzwoSaTSGnYyX1vF6Qqhe5+99UYNaTQUkYaG2+ZA/g3U8KJKbCy8gG0mtNxAmf+8YJAUv9kGhI32yWIas7VrzX8u+Ctjr/vV4+o+O6SVf998Hv+ykDw+KuCf34kY/KLZeUdaLEKGDlKLMpVeuLJwGnw==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 eA07RiN4SwYKWZPUmM2ZccweQYQ8TnjZYZ0X1S6vvDieELkDZ19rcx4/R5gIS4NGCqY6eX0BrduTgvhf8MAIUq1xD3F73gP8oijpTQYKDXE33D/hfKh40zreIN5kFIrUO7Ri+GNcI5AJ/ryvSzX6xvJZXStOY06Ikrm5nUcE6FN+Bn8DliwHWk+PFR0dLOVnGlEXULEwScsDjwTYJ+0A5QNIQDBOw7EEca1tluBcj+/G78xrHQ1QQByvc4D5egMu3HzXsWPrn0TkW4Ewgxn6K22T7hc7efIBEDPAqR/Jof6Sk/jbHcm5pDjRxOlLokAexXGxPYezHxWrpJmpNeHdW1ZGaNHwUfbR3trF8g6q1ah5CVJfLp+31X/iwXlma0StPbQUoqhaZRmeYZw0XuP6L5VZSQzZmt5oQZNqbiXeg3mfa3/7S8+tUCdoPDVH0lzkrCLIexi1VSo/6m7Hk2RjOKBWO3AouTo8Bisyq6t6E2cWanmRyNnl/SpwADaxjczurPLVf2OHvhEysaGftBshCPwSFyCsQlhRqo3aziwuRxeHWlRRzMbVzD0TReXoMqhL742QtljgeVeqBn4R2n3BQQQlpevz49lon6di3tu0fFDM5Q5ZoVkbRUpVeQZKTOUO1/B8zxZr4f4nMpMAksD1EwKTsdM1mt0Fsvqzn2N3uct2l5Wzammty7FvrAXw7R/O1gN9Q1KGHva4NqfBPTUNircUwEbkzoMY7W20CjfiNxEWUVoMJZlxNqeDwSZaBKq8U4F7o17CYwWXr/Jqb0tAoXWm/XI61Pzn2FiF9f+i53w5ixpeWTGpPj4oPE+p0cwFArwZZF/+bfwcLIiWZPzs4uk7cqDYliFOSltuejCbtbmYw6QMv3X4+/jTBl5tLFMpN9QDG5QJXKscBJFIzdRvXm9rVx9mLedbbSOu4KOg5kj7TZQ4CpQsiuCEkw19nLWbhjk7uMyORPIbIEoPbyt032VcrBX1ByxOY1BKE++yxYJiNvvtsI505To4QAbVdeb5Rh7PeP5n6NKg12AprbVyG1JF2F/gCuFVx0u60KlHiU1kCHhNKF/LfuxRsiPSFYbJ/+0AyMRDJsUyDokgVORe5Aw3IABM7r65PnomIPOb8QM/OHinQXMc+p7h+ASJWWUuDEm6yRsU92pkZEQAhnugYPpHK+zack+gRmCreOoN3+e5INXsH9vSasq8iGsBVmJSl3wHkg2IdDDgfM/q1iDw6szz0t/y1ef2rPbaquaq1aCaBB6cRTvvPH8rN/xOMY+hWSGUh9ReKYgL9YQe5lXL8LuIbtS+em7H27ts4LMPlfuWuLP4V56t+UoSDwkFIVi5vMtWULO7Z7s7pPm9CRJH5Hsax754YalOeWv6aDRmyxTFZDw8/V2mKCUx5vNTmN/GOJOBH6pl0MFnvW9FGWwmA8QyMREeBMxyjhkrwczdi4AR4H0ZNHpCNZW4l9mRyR3zzr8s86Xzf3tPhdEiJfhB8C/g8E1CEMPXcwm3bM9u05CgpgJtullSQSxTzkKaFZQKRIZ3aujYSyVu7dlahF+nG3/DDk1ndE1Pxy/xWEX4km4MeKlu+Sorki67F6A5MqK8FZEqXbdrT1jllh5VfDQ8/g==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9b14f050-361a-4c82-daf6-08dd3535af93
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:45.3136
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 n/sH+SGGM3+QfQ5GGDaKKI+Q/B76mJpK3GEkmWfS1Rz+syEm8hkzz6iky3GKiUHaJSBUXYhLwmIcQp89aTG7TkWudw/ZkHSdphYc+mXLONI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Proofpoint-ORIG-GUID: iikHjcX7kBCHGX8bV9jaenMelc_sQE-c
X-Authority-Analysis: v=2.4 cv=SeoNduRu c=1 sm=1 tr=0 ts=678762c0 cx=c_pps
 a=ynuEE1Gfdg78pLiovR0MAg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=9bJ8Nkmn-B7I84n9hCEA:9
 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: iikHjcX7kBCHGX8bV9jaenMelc_sQE-c
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 clxscore=1015
 mlxlogscore=999 mlxscore=0 impostorscore=0 priorityscore=1501
 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 suspectscore=0
 adultscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1
 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:57 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114889

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-45617:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK.
An attacker could use a crafted USB Device or Smart Card, which would present the system
with a specially crafted response to APDUs. Insufficient or missing checking of return
values of functions leads to unexpected work with variables that have not been initialized.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45617]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
[https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-45617-0001.patch    | 38 +++++++++++++++++++
 .../opensc/files/CVE-2024-45617-0002.patch    | 33 ++++++++++++++++
 .../opensc/files/CVE-2024-45617-0003.patch    | 33 ++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  3 ++
 4 files changed, 107 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
new file mode 100644
index 000000000..e750c7b51
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch
@@ -0,0 +1,38 @@
+From fdb9e903eb124b6b18a5a9350a26eceb775585bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:05:36 +0200
+Subject: [PATCH]  cac: Check return value when selecting AID
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/14
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 4c3bc89bd..f910f64d3 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card, cac_private_data_t *priv, const u8 *ai
+ 	/* Call without OID set will just select the AID without subsequent
+ 	 * OID selection, which we need to figure out just now
+ 	 */
+-	cac_select_file_by_type(card, &new_object.path, NULL);
++	r = cac_select_file_by_type(card, &new_object.path, NULL);
++	LOG_TEST_RET(card->ctx, r, "Cannot select AID");
+ 	r = cac_get_properties(card, &prop);
+-	if (r < 0)
+-		return SC_ERROR_INTERNAL;
++	LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
+ 
+ 	for (i = 0; i < prop.num_objects; i++) {
+ 		/* don't fail just because we have more certs than we can support */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
new file mode 100644
index 000000000..617f95d45
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch
@@ -0,0 +1,33 @@
+From 21d869b77792b6f189eebf373e399747177d99e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:29:01 +0200
+Subject: [PATCH] cardos: Return error when response length is 0
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/18
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cardos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 9906f6c72..6f10943a5 100644
+--- a/src/libopensc/card-cardos.c
++++ b/src/libopensc/card-cardos.c
+@@ -1278,7 +1278,7 @@ cardos_lifecycle_get(sc_card_t *card, int *mode)
+ 	LOG_TEST_RET(card->ctx, r, "Card returned error");
+ 
+ 	if (apdu.resplen < 1) {
+-		LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response");
+ 	}
+ 
+ 	r = SC_SUCCESS;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
new file mode 100644
index 000000000..cfb16b31b
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch
@@ -0,0 +1,33 @@
+From efbc14ffa190e3e0ceecceb479024bb778b0ab68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 10:39:52 +0200
+Subject: [PATCH] card-jpki: Check number of read bytes
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_encode/18
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-jpki.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-jpki.c b/src/libopensc/card-jpki.c
+index 6e4d0f3165..71339491d1 100644
+--- a/src/libopensc/card-jpki.c
++++ b/src/libopensc/card-jpki.c
+@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
+ 		u8 buf[4];
+ 		rc = sc_read_binary(card, 0, buf, 4, 0);
+ 		LOG_TEST_RET(card->ctx, rc, "SW Check failed");
++		if (rc < 4)
++			LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short");
+ 		file = sc_file_new();
+ 		if (!file) {
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index ec0149670..89e2e0d5a 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -41,6 +41,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45616-0008.patch \
            file://CVE-2024-45616-0009.patch \
            file://CVE-2024-45616-0010.patch \
+           file://CVE-2024-45617-0001.patch \
+           file://CVE-2024-45617-0002.patch \
+           file://CVE-2024-45617-0003.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:26 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55548
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 15771C02188
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:57 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web10.15807.1736925889311392013
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:49 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F618DD031512
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:49 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443mt73qec-2
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=gs9U8tMBpWmRmS0zpRDDaDOLvrVW3YPwRCJ4L9QDD7GijNbAo37DFR7obVWD0dPgCuuIghzOHO9conmtHiA45606Orm2wElaZxFjfLSupZfRQqjAKE9ZgETgWiB+Cr6RgjiBjNzhNpXEUl60U2zpEC1K+aqV3JlX5cCiodd3yeAsTTfTH2YkrKWaf0KjWyW3JwoGlwZxOKjHL4ONP046wL6vHhn9i07oDU+Ezb2XHh4UVm7Uv4DK2M4i0noGPeMsSLZr6y91v11/7v7PSp39Z1cvQcLrSBMxUbKdSQAUkXxiaxV3IBGX14MKHnyPaKmXWquoUQh3Uyi6u/8uDwz2RQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=c4JZ4WbqWZAwCDpvShfNdOx+52MkzuvnPVLpFojnj/0=;
 b=s+qv1pJAZ1MctEbCrI5t0KaGBGxngm+BPblFkh/20xgcEtT1W9qNrK7M0l0AZhSi9bBRLlqM7lTTZXw1dAceHLZbWOCP29O/vsqn04U/ajKEbPYM6N0HPGkg/Wo1YHX6H6nZkNRvhwX5WRkYvWs8KV/7wygf/N0ExyQ92fWi04/8gjt46mzD8RwIeIAwSiem4UBHDwq0NAENIvSK6yUaeU8c+tu7yV+V6MGTkRBsnkedc+iRgvZEZYvnqqNWOcSbOdg/PMdD/61a7MwPJOKQYoOfhvGMQ1BHsANlkU1nJXKhOYFhcOZFZew7LTtBb+LWnirCOS0AmATuJREPuOWaZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:46 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:46 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 6/8] opensc: fix CVE-2024-45618
Date: Wed, 15 Jan 2025 15:24:26 +0800
Message-Id: <20250115072428.3667416-6-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 6a15f4d3-890d-4b23-83a0-08dd3535b05c
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 5TIvOb7H2kVyM9BgXrKK5FN75HKemJ3WsW982OgY95087/IVr0davl9AB/JkifbnduKX9ChYsm86y2BOtsS2d3ux7RG6pkMa9W6i8/9OdIsVvnzuolaBvIKHGwQSM6nMVLb4H3FCJliUcCLnuZXZnC9JO5G9kZl85mDwJjj46C5K3OjvjrKQjUbFpbCZ88Cyv37dmnZCU1nC/NcO7d/46eP35IuAyRE7Rc4/UWqFqMUVzdXAkgRSVDqLYWmONFhU2ztq7T6nhVp/qaO8VxzP6ORnxm+hMDoKO6CIFZAAeVEcSonW5DdD46qmEn8HF3+qQJns3QiLNAgEaTQiyn+vjrwURcu1a4vDgArdzwlGAJ/HA+wNoX2clal7EXcwJGPFpWKxuSb7kmKMfDAesBu/CF/Dex6wI21V2CQ+FGNjR1llUe4xVB4u/g/FIfPHEyATr2I9MCbV/MFZz1SqR5ZbNJ68ATsAknm6SfAbbWggtor1hk3rIJpQVZE5g/IcnRtu5wwIZnm4rIw9SU+buZgJZvnZhpqU6B+UTMuPWqb7hv0v+qbHJSIWwutHYzi1FkotLuA5t5HBT3da4lJrGweN0s0tH5MNUmGgKRSoEfkYuUfQprfLtJXu47gB1gPz0u4a+aRHRpASREMdK1dmMJ5SRBRte9hZkNchX5BxRjM30NMrGmdltKzgtBeeUM+Lvi9qLBEQaLwY2OaQQ8PGMwFTnIHox+omtFhy3C4294pZn2OBHeMqdoLF0xxfDLAZu9kNsPFFwTCCS5X1XTSzkH7CKd3ALNlIegPES9jMYnsh4EJy1Zo8TRh6KUVYLBg8RS0B4UqxXR9pGAF2H9zuQs2feCnvOXtVBDgrfqWFJOV8r6pn0rUXADt924uRySRTQoEtAb+wbXqJ5d0C8k6umjZdI1e0zrzQFnU8bpkBW7MlmRhd9auaTe5W56CH65OJkjaEKhE3rpEzjl6i0VIY4eUxcmG07xPkCJFta4GENnpmPjBQC27qflC+4JWBoReBTFI9VUGFQKRUDKrrzXPnZEM+MedS34iXiAgPn3rUygUXNewtCfnfD8KGS0c/d/E/KrnSLqXUE0O0oZ3kjwMsvKxDHa+uLvj9kN9MczUE9BsV1hYKJPKJlaEXBpL95DBk18n9AKz7UuDfaPEyMoJK6VGUbK1cS5Hh6qqPxyKZMW30UmUmPlIYwWMnkIyMFwmsAdfvcz2Gk1q+m4YBdP1vqLwLPi//OBi8MnyQnoeMblZ/Ewy6VxKRXI44ompI9D6phsWET8BxgfMlctTnfi1gW2K15aFrCn80xaxj5xQ9EAmjQwnawOGeiaEVPh4BcGT18MUY76/aKKBFL3Eht/mIVOcJNLCuOh7ZySpprU3DulL1md1AAA4nO6RglDODCHdw5JxEro0M+mZ03QTbPD5ujQH01w==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 5YJyMTUkQdqs9yL6IXqVuez101MQPQOuIUxX1XzgXxh7mtT60+Hwc3loz9yPxdqcAoLxwV9bQJobizAj4+BfDByDjLAF/DBIb0czUOrnlgE/RRqkwwJ42Xa6NXiox9P6P7V5EVeJfGSecjNsceo8JXGmk/fjXquVAzQTMf1PYWPsomuXUQMuatwPZHfnc9wpbIx7oamO6quwjIG3XHsNcCrtYl8hHS9h1hcyv2WannNMfFAQW+Kt+KWcw3QD2Eu+8YtBU2Ld3CPwP3U8oEQcTpMIXknICbxKImD9B4zIOJFEVs6LdUvLLLyTvkBRsU/3ODRoyqzrGzSegjSxE2kdGPA+2VsPms5cYEdDx7vLAGcMlomYAkNNWv0D2LtVxeTix1kk2At62WsTUorKmpXBDZRsHQvLKbUClGK+VGjAujVm8/GA+rVwEyN7xgK631qzJGbiom4tM5ZutxwcqNe2dGrwqWQ0hKc3YAkxoirurRQby5sXXLad3QE9ZeydEPpDXske2ZJyZ5HMysUtZFCH/T31wCtEst318I9lC2zJvUgIKqFxzP+GnCVKmL6NeQRe99grru0FKsdenGayG6Yj9vOMPCBEYs9AWCsU0wiaNeCHJAQfWvttu0bMacjSixTI4VzTuuk1ItFdndwRFmd134uYGzQ7Fou//1T8+cdVfeHfREOuKQwZ2ZMsypOjSeAQiFDpr0+nuZfJ6TbR4/Zf9FFJnecuB+Zp4bDyLJdgVpe+W+9YhnPM1xsS+2bD0/2qlugJGNE3Os81IvIdu7nBo2IUkl9MkyuStkUV7VkZsAxMUWcggXt4jEIRcZe+oNX6fkD13+/SMG/jaqWW52qSau5bqzRjrEd7YC1MDGYGcMxIRnQRhyWdDGQghUG1GMo6lx6MYGZF+7I37+HH2HIeUl3cpeTcV5DHxLGXwtQel3kbM699756ZLCMI+OS1agk318DWlS1k6ImoJQsv1iealhGwhtaRUrmkQcodCVvMKbepJ+M9PVUExRYlWqdATj4YJtxZc7rBGq9qqdT1zYvoBjkycDiaw3LphLc79oBeDMMB3fUcxCPyzVXZ8ons00X1A/ycSp4l71zpN1/6yp0RBdcaFV804jP+sm5NwAhRPZM8VAsqdrR4vB+KcU1Qs4LX4BuQpirnIOLuiHhnotMbW/ElI6z8fg/uOUdSLJUvTDLfhbUS993OFvJYoQ9KtmwIZH6S0bLdepy5vJrxht7o7EePxKqy1RbJg0NrEJ6x6MUTX3hjjMEBfr1i9ML3a536gd32y4teiqmFPHnKNPof2jeWYN7jcGyzoXoLUA2/nMTSyajWuM1BDJkZG6G0q5MutSqWmGDTx0sSTC/Ngyb/pTWyvfMKN93xATYZAjA3G2l3brlp8r9ZtsgT6wv39H2kW419UBaKnu5Z5hr3ZdYYVlqZLxpTRHWDiElOK58557QSMcOKrbpf52RUfnwb5pzdUAprVxDfbLFNNNswn2eMPIOIQf+pkTxX2oQrDq02PiCAQaInZVYW4BFk8A4xb8J2upUtMLqj0aEu8qgvjOQEya09VVeO12linPD0iCcAINXXimfHtNP5wiEdY49YH2t9WbcqHHDYIcqh3x+QlE8esg==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 6a15f4d3-890d-4b23-83a0-08dd3535b05c
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:46.6411
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 K8Fww+8NeLHRp8MEMH9pcQLUtkHhY3iGk8S3nlHkssxMQdzlQTsxq/0nzB2mYJMGQnnLJ+poYlPCMLNbupAq4HBQLqlzzOe+DBp47rSm3mU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Proofpoint-ORIG-GUID: A0AF7Qk7q3FtRZrxW4JWGjuOu5UznsN1
X-Authority-Analysis: v=2.4 cv=SeoNduRu c=1 sm=1 tr=0 ts=678762c0 cx=c_pps
 a=ynuEE1Gfdg78pLiovR0MAg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=yNajnoY2KA0B0FGqRo8A:9
 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: A0AF7Qk7q3FtRZrxW4JWGjuOu5UznsN1
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 clxscore=1015
 mlxlogscore=999 mlxscore=0 impostorscore=0 priorityscore=1501
 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 suspectscore=0
 adultscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1
 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:57 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114890

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-45618:
A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted
USB Device or Smart Card, which would present the system with a specially crafted
response to APDUs. Insufficient or missing checking of return values of functions
leads to unexpected work with variables that have not been initialized.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45618]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d]
[https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-45618-0001.patch    | 42 +++++++++++++++++++
 .../opensc/files/CVE-2024-45618-0002.patch    | 42 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  2 +
 3 files changed, 86 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch
new file mode 100644
index 000000000..76311bd1a
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0001.patch
@@ -0,0 +1,42 @@
+From 8632ec172beda894581d67eaa991e519a7874f7d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 11:18:52 +0200
+Subject: [PATCH] pkcs15-tcos: Check return value of serial num conversion
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_encode/21
+
+CVE: CVE-2024-45618
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/8632ec172beda894581d67eaa991e519a7874f7d]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index a78b9aee5..9f44de6e5 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -530,10 +530,15 @@ int sc_pkcs15emu_tcos_init_ex(
+ 	/* get the card serial number */
+ 	r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
+ 	if (r < 0) {
+-		sc_log(ctx,  "unable to get ICCSN\n");
++		sc_log(ctx, "unable to get ICCSN");
+ 		return SC_ERROR_WRONG_CARD;
+ 	}
+-	sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0);
++	r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0);
++	if (r != SC_SUCCESS) {
++		sc_log(ctx, "serial number invalid");
++		return SC_ERROR_INTERNAL;
++	}
++
+ 	serial[19] = '\0';
+ 	set_string(&p15card->tokeninfo->serial_number, serial);
+
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch
new file mode 100644
index 000000000..82e52e3cc
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45618-0002.patch
@@ -0,0 +1,42 @@
+From f9d68660f032ad4d7803431d5fc7577ea8792ac3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 14:56:22 +0200
+Subject: [PATCH] pkcs15-lib: Report transport key error
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/17, fuzz_pkcs15init/18
+
+CVE: CVE-2024-45618
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f9d68660f032ad4d7803431d5fc7577ea8792ac3]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-lib.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c
+index f297a5f48..f4cbaa694 100644
+--- a/src/pkcs15init/pkcs15-lib.c
++++ b/src/pkcs15init/pkcs15-lib.c
+@@ -3767,13 +3767,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car
+ 	if (callbacks.get_key)   {
+ 		rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize);
+ 		LOG_TEST_RET(ctx, rv, "Cannot get key");
+-	}
+-	else if (rv >= 0)  {
++	} else if (rv >= 0) {
+ 		if (*pinsize < defsize)
+ 			LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error");
+ 
+ 		memcpy(pinbuf, data.key_data, data.len);
+ 		*pinsize = data.len;
++	} else {
++		/* pinbuf and pinsize were not filled */
++		LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error");
+ 	}
+ 
+ 	memset(&auth_info, 0, sizeof(auth_info));
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 89e2e0d5a..641d6a807 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -44,6 +44,8 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45617-0001.patch \
            file://CVE-2024-45617-0002.patch \
            file://CVE-2024-45617-0003.patch \
+           file://CVE-2024-45618-0001.patch \
+           file://CVE-2024-45618-0002.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:27 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55547
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 07681C02185
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:57 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web10.15808.1736925890049590671
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:50 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F618DF031512
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:49 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443mt73qec-3
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=ox4TViMk4SR4APzu7zsxHrzDz4zvJyzggwvAyWsARgYLk2qyVUbrvpgPxbCFjbb1GKQxWHVRt7RqDJLB7RadGzAggzqtzxtjqQDr1UF67Zp2h7BrOnky7+4WpPIxl+y2HA/2IAhcGjaV6tVHR6On+u86lYIGrMa9nUoHFiDbnGG+f1r62DuoIhnRQ9M3rksDz0Dnqon9lNtfqVsvw/AaljO2nzI/q8YN2OKHwjzFFVsVXpbUfpF06/urDskpUmxdKmVSxCeQHol3MtNJwAJVWLvDjk1iMMkogHAgLH+DlARd93bv1rztL2By8fgItShPoM3649VakyLFqR/fnf55Lw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=kMyb/kYahQokj1WRCMco06UH1sb0J7cUrW/dMTuCU3s=;
 b=dSxZFiohYVFDiOs02ngBEzDor7GtjzPBHoECRRisMh6e7rWdSc95JUEv5JffkDep1KTGR6j27GVqRRgN1d21nM3ZMl0zncmv9pGAYZIN5QFaXaonZYfAiGgoQRWIsOF/An/zh5f0F6QAa/X+Eftmn96h+XcNBNZKt7aZY5Bte9ikLw7dn3k6JcJesb4+G0NdYLNQp4rvDc9SQZuMq6l38mJ8bXRoWvTjcso/E3XY2LzJ7KpifzPaRHsDK058yfTMXMUtmnA2eICfMQHpWFzBehNq67drYWBCot+cNZ6iRgQOcYDxt4D059+JdYPhKLkbR07UilUFwr8KTRgCwFjNnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:48 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:48 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 7/8] opensc: fix CVE-2024-45619
Date: Wed, 15 Jan 2025 15:24:27 +0800
Message-Id: <20250115072428.3667416-7-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 9a84dbed-0ebc-40d8-2f05-08dd3535b127
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 1SbIwkqNskiQFlvIVE24BZFXPsD8OrPiRJjhyaiQigyyqbkxYMgqKV2G7PjNbTiWaIpie6nyW/YNLsP3ypB6qXTRhT6Q1ch5Jo9IOnTNAEHHBY2YmF/oIklmWgYlzu5/eysRXJNeg09ko4YwoxYk0LzojbC97iKfyn2aXupQE61SCOUE9pJXxZks+BfsiGj0Cn4IvXBOlqQsJ8VbHZBxSbb59bhP1R/VoivelotPlRFXw+/MlANsaOLE3sZsq4qLvLAYT9y2SC5CgjM/Ax2lmsPAf9cx8wRZiQyn1G6106MA4uu2sCZnXY/NqqFqCpxZWy2rmBl4HDN2nfYAUUID2OSZp8uUySCAi9ZtJmsIxG5mbwKMpFX1xaTb5hdrWm7sh5nD2RcEMI54joOAzrdggXu5ciyOa9LnNmq+McU7ps6w5tn0KRgprTAVHp4nxG4qqkk1/kou08z1cYD+NDKgwrxETYNuxyLRoqLn6j0Wh/Iwtodmq54MO1TrN1JPR3obKCjyVUgQOGWmlArmGA3fwV8q+JbsgMovH+CWb8rc1ph/IoLeefegCfUFDomZc/kGCAQ1HpNMYEdaINAOXKE8CsB9uMq193uFPM3B6tpH1dFeR7OnTFNxoYYKV00GbdEjzGsgrLdp6k9JjId6CIi+Q9nvQwGqWp9EKbT5b0M6HF5a1GApVt8va6Vj5Sem0Z65VYkl+3zaeNo+NDP2LKzVaLTmYWc7ZVipc3mxugS54fCSF9+tLF6PuvP2Pk/+jYZabPnDeIJqRbCZsucov10a7RxFEs2iv4cL6VltK592SEEHhumaza+GFqxgXBxznxz3ReuzXHt/7W4skz2ym4clYQPKyOR6b621di1WBPPW1mHwx9t2gj8M1wzYdjFruEekQp4rYsby+rUxkeR0XuQ4UXdEns//Cv+xWlU54DdtJ3XDYd7Jt24B+RdL7MTtwxR8955vHBL7OY+7VxZHTi2OoI/GBBj8j+XDh2RGIyzLrDZLNY/baHl/gkGLIQIIpf15xem/NZL0Fb5QbEKlk4RsDKoFMr/i1wkaPoIqkdk14+T3jxSZrGOay0IIJNJ+5SWo9UntGwYLJXwVUwJjVXpDRe8FhJWpjHlEutCd7m9r+rsxJqSw8bQIJEsyaYL23rtddRiJe91plwl7cK0nnpMCkgqr1i2gwwQ/QTbh+jvbgfBc8WwIRekkcmQZcnlqV+2pmeSyyzQmB4R9KOT1BDSFPrtElqmJrNR8kEXqti5nLXeuEWnxU/RIgTKmknOUjUViE9F5/5Y/ZqmfSsf1i8anQw4r/dXS6moPaJFl/Q+K+2DZEY+xURRJlJOh3yZfqJqD3mOabVw6/23c99vZ46AzMLjKMetcHtNa2hQjTkGSsOLnIuyDrKk2im6ctoLBzUyKd7rdQTZ5aYzgPNuzPc8m+w==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 E0XWxZOqAZMJP8rtcB15lXQcl3uXoWsXjB+9vaJScyvAbmuUGl61QcRgqO7vq5e/ejpl2RA83w3jXvfAqOwD5+UYLyl6TbcuTEFTSfdNmnZtyB1FilcVqyzT7O/qKLbJOiWDvdAIWpNndKvVp5eumj32iFB7GgqA77b3RJvGNiYRqIHdewl76VLYoQNixHUNIxKM5DhA+tJFHacpp5RyF5W24nv3ssmc+jtzGBjrbt0ML0p42zRBkZnhDV8gqdr9QdaoRCXwxEvAkBM8woKJYBBVlbwoKhJzmuAjtMs5F+4If4oQRQpxix0wtn842nwnSI1KvZC358PlR47e9NtJ/nYRgack+u1FabOVQjsYTfiQRo5dx9Kiw3oPfmn8HGnymzWmMh1AEPOnJUM6XlwB8kdymMu4vw1F+YemNdfV8X0qMC4eJ/2DzTv610lpCV5hjq868NdtGIN15HTOzYYmGQ0ehCKS0uLPv9jfexyAcdPAyPjoywdARxxD+om0YzacJihc7MrVS27s/TLseR4QXAmkFwXQS//hG9Ii+ctlnaZrBsmoIziOfiIfsXm5FLY4G9Z5/yWZVlIG4U2YgeEp7af3GJniT/8D9ECjzzANPVq/OMkKXKcvwA1yZkVwEIsnqfAwGaDd9mufI5UBvMyQ0cXna4vfrtuIGEzV5X8PcfDCrjcw3Sqt7SyX0ykX2paSFSF1QPL4R6loZKUZFBlrs+waYa6zRrfy0APwnbyA+My/CZOpVdCw1nDqVN8Lh0S3beB9A5LE5Mgc/fwhp3xJTFS+MeCqR7IztFvYJNKKTFDQ/gco3U9ItOf067E1wh3nH9lyYiHigRVmJvZifGzKazdPLX3tHLtSDy3tHXkWXb8MkTsBjje9WWiElhwUNwKGSQ3ouU1Zr6catTPvc7CZfgI/hJ90k1xKlrDU/NqkzgZChx3wnNA007WM7UrjQyIDwTxSHGS1EfFEIZ/+eqNz88N1T6E3fb5sGp2I0sgkKXZDAd7OmAKTBepzfj8SDju33sxqly6v8xWIqaJH24KGqHYc1jNwS6Mw2lwgbuhjMAuAHJxFppgzD+lQNLQih6PGViAul6PaepkhOKhDL0ryujrNEbD0YFiHNSsI87FlUBmF8ounTfP3nzfUPCMmJHVVFKdf/R1eJXWqzQNQDTxQkOU00cEyvj+ZcA03NJp5XnpugauhdjGt9IdjMgUBeL8r/IYHXQfRFWfocCBau8DC1DZpQq9DsiUnA9v+Wg+JEtUrmV5wfdswDGeV26L/UozVvzV5pKZjCdfWfL+Yrz9HXhOH2aEIYvcj/DDMNRMmh9+lAg5IgbdXklk4MUTE5qCIFS5rihCByyh0lQl9o8nUOJfjAVuFegvxIBEmVcrvAZO8TvQ2Wfoz48OVfLVCyV8Euwi2mJ1383iwmuehoEoTAIrQW8VJafydgbExgd/XMXseiWO6JWTrQtsUHEWc2UjSx1BeFEz/HZ2vyZqcoYEQAQpdGSVucyOnufFEXaR+uSlyiejwFMlQXxMD0NaKPkz7VvaVmbY50wPtuz0MwbsRqAaiFszoL/pxGjR/yXT410vxp4gLvidWH4f45b4AkXDtxCqJdaYwAw7LFJO7mEpLHQ==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9a84dbed-0ebc-40d8-2f05-08dd3535b127
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:48.1567
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 WFAsfgAfrdjZMVrkNK5/XtgEvBCqVvSr8v2vtOBkdC364mg3zY/bgXYBq5n/wEmSuzS2+DCcDIQrtaNYm4gRwDpm/0KbAfAgRRR9C/TVH0g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Proofpoint-ORIG-GUID: jaTRYkyTQbOkIGGZsz8UcKeChScvRuMH
X-Authority-Analysis: v=2.4 cv=SeoNduRu c=1 sm=1 tr=0 ts=678762c1 cx=c_pps
 a=ynuEE1Gfdg78pLiovR0MAg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=RvqLo_sUiLEVdYAAtr4A:9
 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: jaTRYkyTQbOkIGGZsz8UcKeChScvRuMH
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 spamscore=0 clxscore=1015
 mlxlogscore=999 mlxscore=0 impostorscore=0 priorityscore=1501
 lowpriorityscore=0 bulkscore=0 malwarescore=0 phishscore=0 suspectscore=0
 adultscore=0 classifier=spam authscore=0 adjust=0 reason=mlx scancount=1
 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:57 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114891

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-45619:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK.
An attacker could use a crafted USB Device or Smart Card, which would present the system
with a specially crafted response to APDUs. When buffers are partially filled with data,
initialized parts of the buffer can be incorrectly accessed.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45619]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d]
[https://github.com/OpenSC/OpenSC/commit/a1d8c01c1cabd115dda8c298941d1786fb4c5c2f]
[https://github.com/OpenSC/OpenSC/commit/673065630bf4aaf03c370fc791ef6a6239431214]
[https://github.com/OpenSC/OpenSC/commit/e20ca25204c9c5e36f53ae92ddf017cd17d07e31]
[https://github.com/OpenSC/OpenSC/commit/2b6cd52775b5448f6a993922a30c7a38d9626134]
[https://github.com/OpenSC/OpenSC/commit/dd554a2e1e31e6cb75c627c653652696d61e8de8]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-45619-0001.patch    | 34 +++++++
 .../opensc/files/CVE-2024-45619-0002.patch    | 91 +++++++++++++++++++
 .../opensc/files/CVE-2024-45619-0003.patch    | 83 +++++++++++++++++
 .../opensc/files/CVE-2024-45619-0004.patch    | 49 ++++++++++
 .../opensc/files/CVE-2024-45619-0005.patch    | 33 +++++++
 .../opensc/files/CVE-2024-45619-0006.patch    | 63 +++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  6 ++
 7 files changed, 359 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch
new file mode 100644
index 000000000..db2d5f4d8
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0001.patch
@@ -0,0 +1,34 @@
+From f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:22:02 +0200
+Subject: [PATCH] pkcs15-tcos: Check number of read bytes for cert
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/15
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index a84001e122..4d02a98ee1 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -62,7 +62,8 @@ static int insert_cert(
+ 			"Select(%s) failed\n", path);
+ 		return 1;
+ 	}
+-	if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){
++	r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
++	if (r <= 0){
+ 		sc_log(ctx, 
+ 			"ReadBinary(%s) failed\n", path);
+ 		return 2;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch
new file mode 100644
index 000000000..217bb4919
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0002.patch
@@ -0,0 +1,91 @@
+From a1d8c01c1cabd115dda8c298941d1786fb4c5c2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 12:53:52 +0200
+Subject: [PATCH] pkcs15-tcos: Check certificate length before accessing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_encode/8
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1d8c01c1cabd115dda8c298941d1786fb4c5c2f]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-tcos.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c
+index 2bd275c4f4..ecaa66edf2 100644
+--- a/src/libopensc/pkcs15-tcos.c
++++ b/src/libopensc/pkcs15-tcos.c
+@@ -45,6 +45,7 @@ static int insert_cert(
+ 	struct sc_pkcs15_cert_info cert_info;
+ 	struct sc_pkcs15_object cert_obj;
+ 	unsigned char cert[20];
++	size_t cert_len = 0;
+ 	int r;
+ 
+ 	memset(&cert_info, 0, sizeof(cert_info));
+@@ -57,25 +58,31 @@ static int insert_cert(
+ 	strlcpy(cert_obj.label, label, sizeof(cert_obj.label));
+ 	cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0;
+ 
+-	if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){
+-		sc_log(ctx, 
+-			"Select(%s) failed\n", path);
++	if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) {
++		sc_log(ctx, "Select(%s) failed", path);
+ 		return 1;
+ 	}
+ 	r = sc_read_binary(card, 0, cert, sizeof(cert), 0);
+-	if (r <= 0){
+-		sc_log(ctx, 
+-			"ReadBinary(%s) failed\n", path);
++	if (r <= 0) {
++		sc_log(ctx, "ReadBinary(%s) failed\n", path);
+ 		return 2;
+ 	}
+-	if(cert[0]!=0x30 || cert[1]!=0x82){
+-		sc_log(ctx, 
+-			"Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
++	cert_len = r; /* actual number of read bytes */
++	if (cert_len < 7 || (size_t)(7 + cert[5]) > cert_len) {
++		sc_log(ctx, "Invalid certificate length");
++		return 3;
++	}
++	if (cert[0] != 0x30 || cert[1] != 0x82) {
++		sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]);
+ 		return 3;
+ 	}
+ 
+ 	/* some certificates are prefixed by an OID */
+-	if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){
++	if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) {
++		if ((size_t)(9 + cert[5]) > cert_len) {
++			sc_log(ctx, "Invalid certificate length");
++			return 3;
++		}
+ 		cert_info.path.index=6+cert[5];
+ 		cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4;
+ 	} else {
+@@ -83,12 +90,12 @@ static int insert_cert(
+ 		cert_info.path.count=(cert[2]<<8) + cert[3] + 4;
+ 	}
+ 
+-	r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
+-	if(r!=SC_SUCCESS){
+-		sc_log(ctx,  "sc_pkcs15emu_add_x509_cert(%s) failed\n", path);
++	r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info);
++	if (r != SC_SUCCESS) {
++		sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path);
+ 		return 4;
+ 	}
+-	sc_log(ctx,  "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count);
++	sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count);
+ 	return 0;
+ }
+
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch
new file mode 100644
index 000000000..9775bf8fb
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0003.patch
@@ -0,0 +1,83 @@
+From 673065630bf4aaf03c370fc791ef6a6239431214 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 09:15:43 +0200
+Subject: [PATCH] pkcs15-gemsafeV1: Check length of buffer for object
+
+Number of actually read bytes may differ from
+the stated object length.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_crypt/15
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/673065630bf4aaf03c370fc791ef6a6239431214]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-gemsafeV1.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-gemsafeV1.c b/src/libopensc/pkcs15-gemsafeV1.c
+index add4c3e68..46cc420bf 100644
+--- a/src/libopensc/pkcs15-gemsafeV1.c
++++ b/src/libopensc/pkcs15-gemsafeV1.c
+@@ -168,6 +168,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ 	struct sc_file *file;
+ 	size_t objlen, certlen;
+ 	unsigned int ind, i=0;
++	int read_len;
+ 
+ 	sc_format_path(GEMSAFE_PATH, &path);
+ 	r = sc_select_file(card, &path, &file);
+@@ -176,9 +177,11 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ 	sc_file_free(file);
+ 
+ 	/* Initial read */
+-	r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
+-	if (r < 0)
++	read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0);
++	if (read_len <= 2) {
++		sc_log(card->ctx, "Invalid size of object data: %d", read_len);
+ 		return SC_ERROR_INTERNAL;
++	}
+ 
+ 	/* Actual stored object size is encoded in first 2 bytes
+ 	 * (allocated EF space is much greater!)
+@@ -207,7 +210,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ 	 * the private key.
+ 	 */
+ 	ind = 2; /* skip length */
+-	while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
++	while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) {
+ 		if (ibuf[ind+1] == 0xFE) {
+ 			gemsafe_prkeys[i].ref = ibuf[ind+4];
+ 			sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d",
+@@ -234,7 +237,7 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ 	/* Read entire file, then dissect in memory.
+ 	 * Gemalto ClassicClient seems to do it the same way.
+ 	 */
+-	iptr = ibuf + GEMSAFE_READ_QUANTUM;
++	iptr = ibuf + read_len;
+ 	while ((size_t)(iptr - ibuf) < objlen) {
+ 		r = sc_read_binary(card, iptr - ibuf, iptr,
+ 				   MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0);
+@@ -242,7 +245,14 @@ static int gemsafe_get_cert_len(sc_card_t *card)
+ 			sc_log(card->ctx, "Could not read cert object");
+ 			return SC_ERROR_INTERNAL;
+ 		}
+-		iptr += GEMSAFE_READ_QUANTUM;
++		if (r == 0)
++			break;
++		read_len += r;
++		iptr += r;
++	}
++	if ((size_t)read_len < objlen) {
++		sc_log(card->ctx, "Could not read cert object");
++		return SC_ERROR_INTERNAL;
+ 	}
+ 
+ 	/* Search buffer for certificates, they start with 0x3082. */
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch
new file mode 100644
index 000000000..68c8e609a
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0004.patch
@@ -0,0 +1,49 @@
+From e20ca25204c9c5e36f53ae92ddf017cd17d07e31 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 10:16:39 +0200
+Subject: [PATCH] pkcs15-setcos: Check length of generated key
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/26
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/e20ca25204c9c5e36f53ae92ddf017cd17d07e31]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-setcos.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+
+diff --git a/src/pkcs15init/pkcs15-setcos.c b/src/pkcs15init/pkcs15-setcos.c
+index bfee78cd6..57d5e83bf 100644
+--- a/src/pkcs15init/pkcs15-setcos.c
++++ b/src/pkcs15init/pkcs15-setcos.c
+@@ -498,6 +498,9 @@ setcos_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 		r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj);
+ 		LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed");
+ 
++		if (data_obj.DataLen < 3 || data_obj.DataLen < pubkey->u.rsa.modulus.len)
++			LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key");
++
+ 		keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]);  /* modulus bit length */
+ 		if (keybits != key_info->modulus_length)  {
+ 			sc_log(ctx, 
+@@ -505,10 +508,11 @@ setcos_generate_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
+ 				 keybits, key_info->modulus_length);
+ 			LOG_TEST_RET(ctx, SC_ERROR_PKCS15INIT, "Failed to generate key");
+ 		}
+-		memcpy (pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
++		memcpy(pubkey->u.rsa.modulus.data, &raw_pubkey[2], pubkey->u.rsa.modulus.len);
++	} else {
++		sc_file_free(file);
+ 	}
+ 
+-	sc_file_free(file);
+ 	return r;
+ }
+ 
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch
new file mode 100644
index 000000000..88564e299
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0005.patch
@@ -0,0 +1,33 @@
+From 2b6cd52775b5448f6a993922a30c7a38d9626134 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 11:38:25 +0200
+Subject: [PATCH] pkcs15-sc-hsm: Properly check length of file list
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/8
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/2b6cd52775b5448f6a993922a30c7a38d9626134]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-sc-hsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c
+index 71f96cfc56..db1a2b518f 100644
+--- a/src/pkcs15init/pkcs15-sc-hsm.c
++++ b/src/pkcs15init/pkcs15-sc-hsm.c
+@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(struct sc_pkcs15_card *p15card, u8 range)
+ 	LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier");
+ 
+ 	for (j = 0; j < 256; j++) {
+-		for (i = 0; i < filelistlength; i += 2) {
++		for (i = 0; i + 1 < filelistlength; i += 2) {
+ 			if ((filelist[i] == range) && (filelist[i + 1] == j)) {
+ 				break;
+ 			}
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch
new file mode 100644
index 000000000..4e45cc757
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45619-0006.patch
@@ -0,0 +1,63 @@
+From dd554a2e1e31e6cb75c627c653652696d61e8de8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 12:33:31 +0200
+Subject: [PATCH] card-coolkey: Check length of buffer before conversion
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_reader/3
+
+CVE: CVE-2024-45619
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/dd554a2e1e31e6cb75c627c653652696d61e8de8]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-coolkey.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
+index ff3ffd9a7..e0a5ae774 100644
+--- a/src/libopensc/card-coolkey.c
++++ b/src/libopensc/card-coolkey.c
+@@ -1684,6 +1684,7 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ 	u8 key_number;
+ 	size_t params_len;
+ 	u8 buf[MAX_COMPUTE_BUF + 2];
++	size_t buf_len;
+ 	u8 *buf_out;
+ 
+ 	SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
+@@ -1724,8 +1725,6 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ 		ushort2bebytes(params.init.buf_len, 0);
+ 	} else {
+ 		/* The data fits in APDU. Copy it to the params object */
+-		size_t buf_len;
+-
+ 		params.init.location = COOLKEY_CRYPT_LOCATION_APDU;
+ 
+ 		params_len = sizeof(params.init) + datalen;
+@@ -1745,6 +1744,7 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ 	if (r < 0) {
+ 		goto done;
+ 	}
++	buf_len = crypt_out_len_p;
+ 
+ 	if (datalen > MAX_COMPUTE_BUF) {
+ 		u8 len_buf[2];
+@@ -1763,7 +1763,12 @@ static int coolkey_rsa_op(sc_card_t *card, const u8 * data, size_t datalen,
+ 					priv->nonce, sizeof(priv->nonce));
+ 
+ 	} else {
+-		size_t out_length = bebytes2ushort(buf);
++		size_t out_length;
++		if (buf_len < 2) {
++			r = SC_ERROR_WRONG_LENGTH;
++			goto done;
++		}
++		out_length = bebytes2ushort(buf);
+ 		if (out_length > sizeof buf - 2) {
+ 			r = SC_ERROR_WRONG_LENGTH;
+ 			goto done;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 641d6a807..5e840555b 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -46,6 +46,12 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45617-0003.patch \
            file://CVE-2024-45618-0001.patch \
            file://CVE-2024-45618-0002.patch \
+           file://CVE-2024-45619-0001.patch \
+           file://CVE-2024-45619-0002.patch \
+           file://CVE-2024-45619-0003.patch \
+           file://CVE-2024-45619-0004.patch \
+           file://CVE-2024-45619-0005.patch \
+           file://CVE-2024-45619-0006.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual

From patchwork Wed Jan 15 07:24:28 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peng Zhang <peng.zhang1.cn@windriver.com>
X-Patchwork-Id: 55546
Return-Path: <peng.zhang1.cn@windriver.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 03236C02180
	for <webhook@archiver.kernel.org>; Wed, 15 Jan 2025 07:24:57 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
 [205.220.166.238])
 by mx.groups.io with SMTP id smtpd.web11.15863.1736925892231482504
 for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:52 -0800
Authentication-Results: mx.groups.io;
 dkim=none (message not signed);
 spf=permerror,
 err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
 invalid domain name (domain: windriver.com, ip: 205.220.166.238,
 mailfrom: prvs=3110a90dd8=peng.zhang1.cn@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
	by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 50F3t26W012307
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:52 -0800
Received: from nam12-bn8-obe.outbound.protection.outlook.com
 (mail-bn8nam12lp2173.outbound.protection.outlook.com [104.47.55.173])
	by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 443s1pkjjf-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <openembedded-devel@lists.openembedded.org>;
 Tue, 14 Jan 2025 23:24:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=vxAw0+yXemG/xreyxvUaGxhyyYG8AnG8ZZ2aMm8M8BqF4EO60bRYRdhkGn82nQiUqd0oyI616JdYqFVI77+AgTACuPuY/SY6fxRuisPWo0/ZbEoTwNle17ij3+U+tPA4+Kb6jwfBfeocvs/Ld9PHcjl3BsYdt//UraYML2VqJZm6xA06CutpDnp8/i0VEG9yUWTt+mvUCe3f7yT4tQSZxOCkJ2JWZ3T/mX4Fi99ThCQ+dfiEmH+YoKvDTjviiWXVEHmH+d3bal7uyWJxm231sBvY7Z19u18I8aqtJaoYKE8SGWBK9eZv/fqwIMrxlZIJ8hugDbCKKHu49obhDjGUrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=tqbrlqol1fCruGzwQV6JJyNByUYtxbr9iXD97plUuWM=;
 b=bjsuPK3SyzZK1Ps5R01XxwfyWlSYFd3bBKgEOQKiV3NF6dAzTZoWb2uobuxjzKu1nPpTD8SIzI84e3JMp5mD2HptO2/E/CFXku7Z/IAB8DyBspnJYQR2eYm2wm/dqV90rqUfC48trUZ0gG6FcwabEdaG3pr0Vxa2cZGMumD5B4K6/V2oN8NRjO70TR7U0MFC9i0/2dxLO8fxeGJ6bi670R7uLSn6labTld6RFO9SZK1oRPPSV6f/iPr0PLNeeezzYlmoI5iVomaSsCTbol5lyoPpFiccBbkBILXLMnb9UeC+H3VtncYNqJy1ptj4p1emed8CcuxiP2/nTbOpDTBS8w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=windriver.com; dmarc=pass action=none
 header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from CH3PR11MB8562.namprd11.prod.outlook.com (2603:10b6:610:1b8::13)
 by SA3PR11MB8046.namprd11.prod.outlook.com (2603:10b6:806:2fb::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.18; Wed, 15 Jan
 2025 07:24:49 +0000
Received: from CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f]) by CH3PR11MB8562.namprd11.prod.outlook.com
 ([fe80::24c6:f8fc:1afe:179f%7]) with mapi id 15.20.8356.010; Wed, 15 Jan 2025
 07:24:49 +0000
From: peng.zhang1.cn@windriver.com
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 8/8] opensc: fix CVE-2024-45620
Date: Wed, 15 Jan 2025 15:24:28 +0800
Message-Id: <20250115072428.3667416-8-peng.zhang1.cn@windriver.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
References: <20250115072428.3667416-1-peng.zhang1.cn@windriver.com>
X-ClientProxiedBy: SG2PR02CA0112.apcprd02.prod.outlook.com
 (2603:1096:4:92::28) To CH3PR11MB8562.namprd11.prod.outlook.com
 (2603:10b6:610:1b8::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH3PR11MB8562:EE_|SA3PR11MB8046:EE_
X-MS-Office365-Filtering-Correlation-Id: 439fb32b-865f-4b55-46ed-08dd3535b210
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|52116014|366016|1800799024|376014|38350700014;
X-Microsoft-Antispam-Message-Info: 
 PDZYaCPM7cKf9iHMoN1I+dt32t+kfovuNXvCOeOnaf6ctL75NN/0v1FYm4p39yvgk73HhmbpBvkFtukadzZUV9hlK7pL4YL9eFVzFvw86orRdQNGYvcsER3hwLoOBMiJ00+SLPiKsUJ6a2WZ8lmc2/JCx3gs4YKPcwXyQjruIgHtu8GQ4Xga8gKD+F2x4LUlQ/y2fKJS2qTcTa+QQfrjtYcNomOiN0VkpwUTJnJqKqX1RmmqazTMm1XGV2mQlGxWlBYxF8SI227p+0wbCLK+R0oKwwQk9AioxVy0YpNQY9vUkD3YCMSeT3ezBVMqnYs9+b2uoGVjos5KBhihzVqBBPzqwNj+O6eOwR63bGaU7brcxqPsqR+QbL9pG3HKl68uFOEJesjNdwp+Si2Mqx1DMp5fxHzcX0L2YXLr3RGnfsSuK3LLege6NlrjLICEBcfHMxJgvb9Q7aOLKSDih8C5OQnw+4OldUui7Wr1P1nWi6EiPqI8vNzOfkwg6b/3PxC2p/gb+hKOfjmvYM7Sd35xzlOWyJ757aFz9HNtm4frMuDtsDWrE8jM1RpUKmSGQdjbeW1qKWeey1f5xjHajvrXra2tFgoieIgG1Qgs/r9XOhbkugV3rhEJRy8tGEHMOaE8rgKMrMQcsFe/M5ySUAps/z1KMfiD52BtJ5FIcOmdKmtSi2lfvmAKfekhjpjLhaWB5jzemD2m1RLK7Hf2EwU2d+8PoHKo/69jYexpcTOSTvw9eSwCdBY9GFtj2lbe7uVNxO4z4q1Sx2jdTf+tLVXD2/MBUXHKmJvCJ+YIC8OvwYyLHjo5WRwd7QmMSplBOShzBQ9xfIJsiMcqMttVaqNeQXgivjmErAOCu4NuvDWHoS2MlDDi1MHz6VGoFOQSoYOun3fBdT3LtHcSmzq+TJ5bpi/lcbxWR4RHbF+v9vbFOWbfyBXQSF43A5JlXK0jGeu8FfZnmtTlD0LjRv3lhY4tttHhYNTbJyOxBl/+8MQz7na8OnyPTn0JkCB5A69Dkze3PRE//HXPeMaOKKJ84WpLj3Uz6Bbd1NPUllBDYRYRe6qaWrAXLUGYmXviXCX99+KfynfQLZhEkFKb3uzvhYxpIvV840WZjMXEWDLpl+aHVok7hJXgpCV6yJ6J+HozqxftpHgZRHS/ffrlEZNNt3PUNfxhQj7AdeVfyAelPB4yhDlAaOlo0CVfESVnNOG1lU2OZdyv5thHhd+oQfjOq9zIhGFMk2SSFydMY5qNtqHSLSBxzA3uqoRQjYkWO8y0QVi5TON7ohOKFD1GfWggYfNsz6KgvOJxVZrCI9frrX9xHBjbwmKEgAkbdg7dLbRAI0DyZLU/Tucy52G91mjrxr3uu3bylXZWVsZ73aP78ydzS0/B5+sMrEk44gnK7OOMxqmbLOvpt2F76KHGPmaRjIs+Ag==
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR11MB8562.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(1800799024)(376014)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 C8lk0Dox9+WT3mjCF7IUH3rMLVA4e+FC4S1lkKxglLmzNqwn+DDbVPC+ryN+HOlQYhYI+eK4JPJaJy1v3Cb7H7D0kyvN58zUxztrNtGrbR94NXwgCQWw0l1TMG0OG0nP0ogwbxiTEij0t0TmI6trRcfpja1/0+qkNz0ire7ZyOIO/eN5zPyJ3OX6K491BJQ6xedLNNFSoFUp28joy0Wjo3k1uxLAvtbRdfpSe1Hkmj9tpoAXaoXblrNPAARXtpYc2D2XY/1luVEfLDWgqKY3/Tckn5rlxmSMmZe0UBaKwIY3S6aEc7C2N791/yyT8jmJbVb7Akvlv7Zi1h2hYUkcgzxJdLXYWHlQP6hA+Xx8OeR8TlmdoKPzI5h7d+AJHUs8h9/rHBDIwmwhtyw2VehhrDmRCRKr8bzqzWmDIwME4ma3QAzyLeVYNl/eqUWDvI+zzgqDxvR+gDlu8yfrfineqbQj0DxoHoMXPo+VOEYH37P0wJz8N3sYa3HuWrVk+bSooqtX42CUsQERoEY7VPRJRJaO0jhwPfNSt66pF3H5y06LF0p0R7MVfp8Xo4EdTbK6qupulQjdBzEd9VL4Ip+b3JxHFtHQtezvSQCypUxfwBnmpv464K7mrHqUMHRn7OOa5FApfgF1+jZpscoVVtGJQCZttC796YCWQAvuH8Cu24FDJW6swDLlQoLx1chqCAUDT1sxVThcfMbrfVm+Jw6G9GD6TI0cO6PJ7LR7zHPW2hvz/Aj4Hzuw+ASQNJrry5H/zzSCcrtnQwZRZiHloxQP7+oYhse2qUXQj9rkj6OFK75cuR67QPwmruuv3sD9T0Xbsj+EyRWU1/TAfAkW4/mAAJH6Knvpqhb+s+02WQCTpbTqUa9e8VTDibcRyHBZt67IE7wDhLGQTSV3jXjGDYFfok+M9BEU5d0no3rmlh3oJC2GYGU4L2sv0ZRVD2ypb5O4uRucvU6WXg6ADuecQjbMvfZJ4IUDvn0vYdSd01oc2liivFvJ53uh4LQEjNeJU7vj0iZbXdk6rb7ZEyiNK9AuUJWwQod+2QcpTJPe1IFk7YN4XXs24pPuKrybvMoOq5Us/g4UoNd9mHFFO2dR7YfrTa3Gt+M96yNJ817xwsZCdj5ljsJ5tMdn2McWLeRkfHNNM6wdKPyjo6zefNd5MR5efir+fsQE5cqwHbachAyOn0wcHuphklWBA7ZutjoV9buwQO/MK9qs+WQbjJruxk7bMwCLHBhp3eFPOtXRL18YH54V/wppzTE3aT519eUmrEPMuGJZdnGOyMaGjnajB7adEFNS0kcLEWVSBLlkHUS3GkUHArQFjd77YHhWnYcOtS1zsDrt0iWLrHD5b3ENPBUvARIP1WN4v1zVawGH2sgr3jgKkZOGdyz64cbuAxK+CGg58bnGE75gYXfBiPCaMB4eUZMNywYodNv/8aOoJXPQ2C9ikm6nTEKnaRT9kLcf/qGbEbOdg7BTh/hd7Vczmb30Wm43v7W/UI17nakRJXuPsmcDQbJ1Pd/VpNkL6mr6ySotVvSpsa1F5QRcRS1+2OG1cfrV+IFHh5hXZSCigO/9DGhkmz8R/VJGYSkdp66lHie9XteCwgzCFfnr/rpkZ1BVqw==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 439fb32b-865f-4b55-46ed-08dd3535b210
X-MS-Exchange-CrossTenant-AuthSource: CH3PR11MB8562.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2025 07:24:49.6363
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 UU8eYf596geRUxaFCqd1RBkNSIjeFlCHRmuxyXblrsKafc46TIXV/+Ti69/2jgivoSX2peUEchrCmlj1ekfNgw8Cdfu6hVdeonzrGLObOS0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR11MB8046
X-Authority-Analysis: v=2.4 cv=DdLtqutW c=1 sm=1 tr=0 ts=678762c3 cx=c_pps
 a=ynuEE1Gfdg78pLiovR0MAg==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19
 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=VdSt8ZQiCzkA:10
 a=bRTqI5nwn0kA:10 a=PYnjg3YJAAAA:8
 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=b0JbnPJMiK5919SWX6MA:9
 a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-GUID: 1k3BpG5xKQsbDllioP-ytDCUhFOT0Wtc
X-Proofpoint-ORIG-GUID: 1k3BpG5xKQsbDllioP-ytDCUhFOT0Wtc
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-01-15_02,2025-01-15_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 adultscore=0
 mlxlogscore=999 lowpriorityscore=0 mlxscore=0 priorityscore=1501
 phishscore=0 malwarescore=0 bulkscore=0 spamscore=0 clxscore=1015
 impostorscore=0 classifier=spam authscore=0 adjust=0 reason=mlx
 scancount=1 engine=8.21.0-2411120000 definitions=main-2501150054
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 15 Jan 2025 07:24:57 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/114892

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-45620:
A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use
a crafted USB Device or Smart Card, which would present the system with a specially
crafted response to APDUs. When buffers are partially filled with data, initialized
parts of the buffer can be incorrectly accessed.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45620]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
[https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
[https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 .../opensc/files/CVE-2024-45620-0001.patch    | 42 ++++++++++++++++
 .../opensc/files/CVE-2024-45620-0002.patch    | 34 +++++++++++++
 .../opensc/files/CVE-2024-45620-0003.patch    | 50 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.22.0.bb   |  3 ++
 4 files changed, 129 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
 create mode 100644 meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch

diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
new file mode 100644
index 000000000..bacf75960
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0001.patch
@@ -0,0 +1,42 @@
+From a1bcc6516f43d570899820d259b71c53f8049168 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 09:23:20 +0200
+Subject: [PATCH] pkcs15-starcos: Check length of file to be non-zero
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/20
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/a1bcc6516f43d570899820d259b71c53f8049168]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/pkcs15-starcos.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/pkcs15-starcos.c b/src/pkcs15init/pkcs15-starcos.c
+index bde7413a46..267ad2b04a 100644
+--- a/src/pkcs15init/pkcs15-starcos.c
++++ b/src/pkcs15init/pkcs15-starcos.c
+@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
+ 		return r;
+ 	len = tfile->size;
+ 	sc_file_free(tfile);
++	if (len == 0)
++		return SC_ERROR_INTERNAL;
+ 	buf = malloc(len);
+ 	if (!buf)
+ 		return SC_ERROR_OUT_OF_MEMORY;
+@@ -682,7 +684,7 @@ static int starcos_write_pukey(sc_profile_t *profile, sc_card_t *card,
+ 	if (num_keys == 0xff)
+ 		num_keys = 0;
+ 	/* encode public key */
+-	keylen  = starcos_encode_pukey(rsa, NULL, kinfo);
++	keylen = starcos_encode_pukey(rsa, NULL, kinfo);
+ 	if (!keylen) {
+ 		free(buf);
+ 		return SC_ERROR_INTERNAL;
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
new file mode 100644
index 000000000..65d596b92
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0002.patch
@@ -0,0 +1,34 @@
+From 6baa19596598169d652659863470a60c5ed79ecd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 09:35:23 +0200
+Subject: [PATCH] iasecc-sdo: Check length of data before dereferencing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/21
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/6baa19596598169d652659863470a60c5ed79ecd]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/iasecc-sdo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
+index 417b6dd57d..98402a4e3f 100644
+--- a/src/libopensc/iasecc-sdo.c
++++ b/src/libopensc/iasecc-sdo.c
+@@ -729,6 +729,9 @@ iasecc_sdo_parse(struct sc_card *card, unsigned char *data, size_t data_len, str
+
+ 	LOG_FUNC_CALLED(ctx);
+
++	if (data == NULL || data_len < 2)
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch
new file mode 100644
index 000000000..5bc8805e6
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45620-0003.patch
@@ -0,0 +1,50 @@
+From 468a314d76b26f724a551f2eb339dd17c856cf18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 18 Jul 2024 11:03:46 +0200
+Subject: [PATCH] iasecc-sdo: Check length of data when parsing
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15init/27,29
+
+CVE: CVE-2024-45620
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/468a314d76b26f724a551f2eb339dd17c856cf18]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/iasecc-sdo.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/libopensc/iasecc-sdo.c b/src/libopensc/iasecc-sdo.c
+index 4d6be7ad4..bdbd5ab17 100644
+--- a/src/libopensc/iasecc-sdo.c
++++ b/src/libopensc/iasecc-sdo.c
+@@ -334,16 +334,25 @@ iasecc_se_parse(struct sc_card *card, unsigned char *data, size_t data_len, stru
+ 
+ 	LOG_FUNC_CALLED(ctx);
+ 
++	if (data_len < 1)
++		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
+ 		size_size = iasecc_parse_size(data + 1, &size);
+ 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
+ 
++		if (data_len - 1 < size)
++			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 		data += size_size + 1;
+ 		data_len = size;
+ 		sc_log(ctx,
+ 		       "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u",
+ 		       size, size_size);
+ 
++		if (data_len < 3)
++			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
++
+ 		if (*data != IASECC_SDO_TAG_HEADER)
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ 
+--
+2.34.1
diff --git a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
index 5e840555b..52e29a5d9 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@@ -52,6 +52,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45619-0004.patch \
            file://CVE-2024-45619-0005.patch \
            file://CVE-2024-45619-0006.patch \
+           file://CVE-2024-45620-0001.patch \
+           file://CVE-2024-45620-0002.patch \
+           file://CVE-2024-45620-0003.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual