[pcsc-lite/f13/master] Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
Kalev Lember
kalev at fedoraproject.org
Wed Jan 5 11:08:22 UTC 2011
commit fda5734570bd0a656243f84e5db989aa77dd02e3
Author: Kalev Lember <kalev at smartlink.ee>
Date: Wed Jan 5 12:56:28 2011 +0200
Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
pcsc-lite-CVE-2010-4531.patch | 23 +++++++++++++++++++++++
pcsc-lite.spec | 7 ++++++-
2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/pcsc-lite-CVE-2010-4531.patch b/pcsc-lite-CVE-2010-4531.patch
new file mode 100644
index 0000000..912720d
--- /dev/null
+++ b/pcsc-lite-CVE-2010-4531.patch
@@ -0,0 +1,23 @@
+Index: src/atrhandler.c
+===================================================================
+--- src/atrhandler.c (revision 5369)
++++ src/atrhandler.c (revision 5370)
+@@ -232,7 +232,7 @@
+ psExtension->ATR.HistoryLength = K;
+ memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
+
+- p = p + K;
++ p += K;
+
+ /*
+ * Check to see if TCK character is included It will be included if
+@@ -241,6 +241,9 @@
+ if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
+ TCK = pucAtr[p++];
+
++ if (p > MAX_ATR_SIZE)
++ return 0; /** @retval 0 Maximum attribute size */
++
+ memcpy(psExtension->ATR.Value, pucAtr, p);
+ psExtension->ATR.Length = p; /* modified from p-1 */
+
diff --git a/pcsc-lite.spec b/pcsc-lite.spec
index b0ce73a..61cc82f 100644
--- a/pcsc-lite.spec
+++ b/pcsc-lite.spec
@@ -2,7 +2,7 @@
Name: pcsc-lite
Version: 1.5.5
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: PC/SC Lite smart card framework and applications
Group: System Environment/Daemons
@@ -14,6 +14,7 @@ Patch1: %{name}-1.5.5-rpath64.patch
Patch2: %{name}-close_on_exec.patch
# Fedora specific changes to init script LSB header and start/stop priorities
Patch3: %{name}-lsb_header.patch
+Patch4: %{name}-CVE-2010-4531.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -66,6 +67,7 @@ BuildArch: noarch
%patch1 -p1 -b .rpath64
%patch2 -p1 -b .close_on_exec
%patch3 -p1 -b .lsb_header
+%patch4 -p0 -b .CVE-2010-4531
%build
%configure \
@@ -150,6 +152,9 @@ fi
%changelog
+* Wed Jan 05 2011 Kalev Lember <kalev at smartlink.ee> - 1.5.5-5
+- Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
+
* Tue Apr 13 2010 Kalev Lember <kalev at smartlink.ee> - 1.5.5-4
- Fix init script start / stop priorities (#580322)
- Don't require pkgconfig as the dep is now automatically generated by rpm
More information about the scm-commits
mailing list