[opensc/el5/master] - fix buffer overflow on rogue card serial numbers

Tomáš Mráz tmraz at fedoraproject.org
Tue Dec 21 20:30:14 UTC 2010 

commit d65ffb9ccd2231f2c058f8dc00a3fe842c2cbe0d
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Tue Dec 21 21:30:04 2010 +0100

    - fix buffer overflow on rogue card serial numbers

 opensc-0.11.13-serial-overflow.patch |   71 ++++++++++++++++++++++++++++++++++
 opensc.spec                          |   12 +++++-
 2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/opensc-0.11.13-serial-overflow.patch b/opensc-0.11.13-serial-overflow.patch
new file mode 100644
index 0000000..6d492e5
--- /dev/null
+++ b/opensc-0.11.13-serial-overflow.patch
@@ -0,0 +1,71 @@
+Index: /trunk/src/libopensc/muscle.c
+===================================================================
+--- /trunk/src/libopensc/muscle.c	(revision 4350)
++++ /trunk/src/libopensc/muscle.c	(revision 4912)
+@@ -31,11 +31,4 @@
+ #define MSC_DSA_PUBLIC		0x04
+ #define MSC_DSA_PRIVATE 	0x05
+-
+-#ifndef MAX
+-#define MAX(x, y) (((x) > (y)) ? (x) : (y))
+-#endif
+-#ifndef MIN
+-#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+-#endif
+ 
+ static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } };
+Index: /trunk/src/libopensc/internal.h
+===================================================================
+--- /trunk/src/libopensc/internal.h	(revision 4902)
++++ /trunk/src/libopensc/internal.h	(revision 4912)
+@@ -48,4 +48,11 @@
+ #define msleep(t)	Sleep(t)
+ #define sleep(t)	Sleep((t) * 1000)
++#endif
++
++#ifndef MAX
++#define MAX(x, y) (((x) > (y)) ? (x) : (y))
++#endif
++#ifndef MIN
++#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+ #endif
+ 
+Index: /trunk/src/libopensc/card-atrust-acos.c
+===================================================================
+--- /trunk/src/libopensc/card-atrust-acos.c	(revision 4706)
++++ /trunk/src/libopensc/card-atrust-acos.c	(revision 4913)
+@@ -843,6 +843,6 @@
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
++	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+Index: /trunk/src/libopensc/card-starcos.c
+===================================================================
+--- /trunk/src/libopensc/card-starcos.c	(revision 4706)
++++ /trunk/src/libopensc/card-starcos.c	(revision 4913)
+@@ -1280,6 +1280,6 @@
+ 		return SC_ERROR_INTERNAL;
+ 	/* cache serial number */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
++	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ 	/* copy and return serial number */
+ 	memcpy(serial, &card->serialnr, sizeof(*serial));
+Index: /trunk/src/libopensc/card-acos5.c
+===================================================================
+--- /trunk/src/libopensc/card-acos5.c	(revision 4118)
++++ /trunk/src/libopensc/card-acos5.c	(revision 4913)
+@@ -139,6 +139,6 @@
+ 	 * Cache serial number.
+ 	 */
+-	memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+-	card->serialnr.len = apdu.resplen;
++	memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
++	card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ 
+ 	/*
diff --git a/opensc.spec b/opensc.spec
index 53a4b83..ee8a367 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -2,7 +2,7 @@
 
 Name:           opensc
 Version:        0.11.13
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Smart card library and applications
 
 Group:          System Environment/Libraries
@@ -13,11 +13,14 @@ Patch1:         %{name}-0.11.7-develconfig.patch
 Patch2:         %{name}-0.11.12-no-add-needed.patch
 Patch3:         opensc-0.11.13-libassuan1.patch
 Patch4:         opensc-0.11.13-build-readerstate.patch
+Patch5:         opensc-0.11.13-serial-overflow.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
+%if 0%{?fedora} || 0%{?rhel} > 5
 BuildRequires:  openct-devel
+%endif
 BuildRequires:  openssl-devel
 BuildRequires:  libtool-ltdl-devel
 BuildRequires:  libtool
@@ -62,6 +65,8 @@ OpenSC development files.
 %setup -q
 %patch1 -p1 -b .config
 %patch2 -p1 -b .no-add-needed
+%patch5 -p2 -b .overflow
+
 sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@@ -81,7 +86,9 @@ rm -f m4/libassuan.m4
 %configure  --disable-static \
   --enable-nsplugin \
   --enable-pcsc \
+%if 0%{?fedora} || 0%{?rhel} > 5
   --enable-openct \
+%endif
   --enable-doc \
   --with-pcsc-provider=libpcsclite.so.1 \
   --with-plugindir=%{plugindir} \
@@ -171,6 +178,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Dec 21 2010 Tomas Mraz <tmraz at redhat.com> - 0.11.13-6
+- fix buffer overflow on rogue card serial numbers
+
 * Tue Oct 19 2010 Tomas Mraz <tmraz at redhat.com> - 0.11.13-5
 - own the _libdir/pkcs11 subdirectory (#644527)

More information about the scm-commits mailing list