[pcsc-lite/f14/master] Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
Kalev Lember
kalev at fedoraproject.org
Wed Jan 5 11:00:57 UTC 2011
commit 6360140a1e4a4a11b14865a9820ec6585886a8fa
Author: Kalev Lember <kalev at smartlink.ee>
Date: Wed Jan 5 12:56:28 2011 +0200
Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
pcsc-lite-CVE-2010-4531.patch | 23 +++++++++++++++++++++++
pcsc-lite.spec | 7 ++++++-
2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/pcsc-lite-CVE-2010-4531.patch b/pcsc-lite-CVE-2010-4531.patch
new file mode 100644
index 0000000..912720d
--- /dev/null
+++ b/pcsc-lite-CVE-2010-4531.patch
@@ -0,0 +1,23 @@
+Index: src/atrhandler.c
+===================================================================
+--- src/atrhandler.c (revision 5369)
++++ src/atrhandler.c (revision 5370)
+@@ -232,7 +232,7 @@
+ psExtension->ATR.HistoryLength = K;
+ memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
+
+- p = p + K;
++ p += K;
+
+ /*
+ * Check to see if TCK character is included It will be included if
+@@ -241,6 +241,9 @@
+ if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
+ TCK = pucAtr[p++];
+
++ if (p > MAX_ATR_SIZE)
++ return 0; /** @retval 0 Maximum attribute size */
++
+ memcpy(psExtension->ATR.Value, pucAtr, p);
+ psExtension->ATR.Length = p; /* modified from p-1 */
+
diff --git a/pcsc-lite.spec b/pcsc-lite.spec
index 47335b8..fa71dc4 100644
--- a/pcsc-lite.spec
+++ b/pcsc-lite.spec
@@ -2,7 +2,7 @@
Name: pcsc-lite
Version: 1.6.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: PC/SC Lite smart card framework and applications
Group: System Environment/Daemons
@@ -14,6 +14,7 @@ Patch0: %{name}-1.4-docinst.patch
Patch1: %{name}-1.5.5-rpath64.patch
# Disable pcscd on-demand startup (#653903)
Patch2: %{name}-1.6.4-noautostart.patch
+Patch3: %{name}-CVE-2010-4531.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: hal-devel
@@ -66,6 +67,7 @@ Requires: %{name}-libs = %{version}-%{release}
%patch0 -p0 -b .docinst
%patch1 -p1 -b .rpath64
%patch2 -p1 -b .noautostart
+%patch3 -p0 -b .CVE-2010-4531
# Convert to utf-8
for file in ChangeLog; do
@@ -146,6 +148,9 @@ fi
%changelog
+* Wed Jan 05 2011 Kalev Lember <kalev at smartlink.ee> - 1.6.4-3
+- Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
+
* Mon Dec 13 2010 Kalev Lember <kalev at smartlink.ee> - 1.6.4-2
- Disabled pcscd on-demand startup (#653903)
More information about the scm-commits
mailing list