[pcsc-lite/f13/master] Fixed a buffer overflow in ATR decoder (CVE-2010-4531)

[Kalev Lember]

commit fda5734570bd0a656243f84e5db989aa77dd02e3
Author: Kalev Lember <kalev at smartlink.ee>
Date:   Wed Jan 5 12:56:28 2011 +0200

    Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
    
    http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf

 pcsc-lite-CVE-2010-4531.patch |   23 +++++++++++++++++++++++
 pcsc-lite.spec                |    7 ++++++-
 2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/pcsc-lite-CVE-2010-4531.patch b/pcsc-lite-CVE-2010-4531.patch
new file mode 100644
index 0000000..912720d
--- /dev/null
+++ b/pcsc-lite-CVE-2010-4531.patch
@@ -0,0 +1,23 @@
+Index: src/atrhandler.c
+===================================================================
+--- src/atrhandler.c	(revision 5369)
++++ src/atrhandler.c	(revision 5370)
+@@ -232,7 +232,7 @@
+ 	psExtension->ATR.HistoryLength = K;
+ 	memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
+ 
+-	p = p + K;
++	p += K;
+ 
+ 	/*
+ 	 * Check to see if TCK character is included It will be included if
+@@ -241,6 +241,9 @@
+ 	if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
+ 		TCK = pucAtr[p++];
+ 
++	if (p > MAX_ATR_SIZE)
++		return 0;	/** @retval 0 Maximum attribute size */
++
+ 	memcpy(psExtension->ATR.Value, pucAtr, p);
+ 	psExtension->ATR.Length = p;	/* modified from p-1 */
+ 
diff --git a/pcsc-lite.spec b/pcsc-lite.spec
index b0ce73a..61cc82f 100644
--- a/pcsc-lite.spec
+++ b/pcsc-lite.spec
@@ -2,7 +2,7 @@
 
 Name:           pcsc-lite
 Version:        1.5.5
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        PC/SC Lite smart card framework and applications
 
 Group:          System Environment/Daemons
@@ -14,6 +14,7 @@ Patch1:         %{name}-1.5.5-rpath64.patch
 Patch2:         %{name}-close_on_exec.patch
 # Fedora specific changes to init script LSB header and start/stop priorities
 Patch3:         %{name}-lsb_header.patch
+Patch4:         %{name}-CVE-2010-4531.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -66,6 +67,7 @@ BuildArch:      noarch
 %patch1 -p1 -b .rpath64
 %patch2 -p1 -b .close_on_exec
 %patch3 -p1 -b .lsb_header
+%patch4 -p0 -b .CVE-2010-4531
 
 %build
 %configure \
@@ -150,6 +152,9 @@ fi
 
 
 %changelog
+* Wed Jan 05 2011 Kalev Lember <kalev at smartlink.ee> - 1.5.5-5
+- Fixed a buffer overflow in ATR decoder (CVE-2010-4531)
+
 * Tue Apr 13 2010 Kalev Lember <kalev at smartlink.ee> - 1.5.5-4
 - Fix init script start / stop priorities (#580322)
 - Don't require pkgconfig as the dep is now automatically generated by rpm