[pcsc-lite/f14/master] Fixed a buffer overflow in ATR decoder (CVE-2010-4531)

Kalev Lember kalev at fedoraproject.org
Wed Jan 5 11:00:57 UTC 2011 

commit 6360140a1e4a4a11b14865a9820ec6585886a8fa
Author: Kalev Lember <kalev at smartlink.ee>
Date:   Wed Jan 5 12:56:28 2011 +0200

    Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
    
    http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf

 pcsc-lite-CVE-2010-4531.patch |   23 +++++++++++++++++++++++
 pcsc-lite.spec                |    7 ++++++-
 2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/pcsc-lite-CVE-2010-4531.patch b/pcsc-lite-CVE-2010-4531.patch
new file mode 100644
index 0000000..912720d
--- /dev/null
+++ b/pcsc-lite-CVE-2010-4531.patch
@@ -0,0 +1,23 @@
+Index: src/atrhandler.c
+===================================================================
+--- src/atrhandler.c	(revision 5369)
++++ src/atrhandler.c	(revision 5370)
+@@ -232,7 +232,7 @@
+ 	psExtension->ATR.HistoryLength = K;
+ 	memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
+ 
+-	p = p + K;
++	p += K;
+ 
+ 	/*
+ 	 * Check to see if TCK character is included It will be included if
+@@ -241,6 +241,9 @@
+ 	if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
+ 		TCK = pucAtr[p++];
+ 
++	if (p > MAX_ATR_SIZE)
++		return 0;	/** @retval 0 Maximum attribute size */
++
+ 	memcpy(psExtension->ATR.Value, pucAtr, p);
+ 	psExtension->ATR.Length = p;	/* modified from p-1 */
+ 
diff --git a/pcsc-lite.spec b/pcsc-lite.spec
index 47335b8..fa71dc4 100644
--- a/pcsc-lite.spec
+++ b/pcsc-lite.spec
@@ -2,7 +2,7 @@
 
 Name:           pcsc-lite
 Version:        1.6.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        PC/SC Lite smart card framework and applications
 
 Group:          System Environment/Daemons
@@ -14,6 +14,7 @@ Patch0:         %{name}-1.4-docinst.patch
 Patch1:         %{name}-1.5.5-rpath64.patch
 # Disable pcscd on-demand startup (#653903)
 Patch2:         %{name}-1.6.4-noautostart.patch
+Patch3:         %{name}-CVE-2010-4531.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  hal-devel 
@@ -66,6 +67,7 @@ Requires:       %{name}-libs = %{version}-%{release}
 %patch0 -p0 -b .docinst
 %patch1 -p1 -b .rpath64
 %patch2 -p1 -b .noautostart
+%patch3 -p0 -b .CVE-2010-4531
 
 # Convert to utf-8
 for file in ChangeLog; do
@@ -146,6 +148,9 @@ fi
 
 
 %changelog
+* Wed Jan 05 2011 Kalev Lember <kalev at smartlink.ee> - 1.6.4-3
+- Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
+
 * Mon Dec 13 2010 Kalev Lember <kalev at smartlink.ee> - 1.6.4-2
 - Disabled pcscd on-demand startup (#653903)

More information about the scm-commits mailing list