From 24eb6f5b62e2afd998c509d5c107343bca2f26024bab64e00efc20531985ef09 Mon Sep 17 00:00:00 2001 From: Angel Yankov Date: Wed, 2 Oct 2024 13:32:39 +0000 Subject: [PATCH] - - Security fix: [CVE-2024-8443, bsc#1230364] * opensc: heap buffer overflow in OpenPGP driver when generating key * Added patch: opensc-CVE-2024-8443.patch - Security fix: [opensc-CVE-2024-45620, bsc#1230076] - Security fix: [opensc-CVE-2024-45619, bsc#1230075] - Security fix: [opensc-CVE-2024-45618, bsc#1230074] - Security fix: [opensc-CVE-2024-45617, bsc#1230073] - Security fix: [opensc-CVE-2024-45616, bsc#1230072] - Security fix: [opensc-CVE-2024-45615, bsc#1230071] * opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init * opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc * opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc * opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init * opensc: Incorrect handling length of buffers or files in libopensc * opensc: Incorrect handling of the length of buffers or files in pkcs15init * Added patches: - opensc-CVE-2024-45615.patch - opensc-CVE-2024-45616.patch - opensc-CVE-2024-45617.patch - opensc-CVE-2024-45618.patch - opensc-CVE-2024-45619.patch - opensc-CVE-2024-45620.patch OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=88 --- .gitattributes | 23 + .gitignore | 1 + baselibs.conf | 5 + opensc-0.25.1.tar.gz | 3 + opensc-CVE-2024-45615.patch | 111 ++++ opensc-CVE-2024-45616.patch | 233 +++++++++ opensc-CVE-2024-45617.patch | 55 ++ opensc-CVE-2024-45618.patch | 67 +++ opensc-CVE-2024-45619.patch | 212 ++++++++ opensc-CVE-2024-45620.patch | 73 +++ opensc-CVE-2024-8443.patch | 78 +++ opensc-docbook-xsl-fix.patch | 13 + opensc-gcc11.patch | 31 ++ opensc-rpmlintrc | 3 + opensc.changes | 981 +++++++++++++++++++++++++++++++++++ opensc.module | 8 + opensc.spec | 143 +++++ 17 files changed, 2040 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 baselibs.conf create mode 100644 opensc-0.25.1.tar.gz create mode 100644 opensc-CVE-2024-45615.patch create mode 100644 opensc-CVE-2024-45616.patch create mode 100644 opensc-CVE-2024-45617.patch create mode 100644 opensc-CVE-2024-45618.patch create mode 100644 opensc-CVE-2024-45619.patch create mode 100644 opensc-CVE-2024-45620.patch create mode 100644 opensc-CVE-2024-8443.patch create mode 100644 opensc-docbook-xsl-fix.patch create mode 100644 opensc-gcc11.patch create mode 100644 opensc-rpmlintrc create mode 100644 opensc.changes create mode 100644 opensc.module create mode 100644 opensc.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..ab2fb20 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,5 @@ +opensc + +/usr/lib(64)?/*.la + +/usr/lib(64)?/*.so* + +/usr/lib(64)?/pkcs11/*.so + requires "opensc = " diff --git a/opensc-0.25.1.tar.gz b/opensc-0.25.1.tar.gz new file mode 100644 index 0000000..40ca6d3 --- /dev/null +++ b/opensc-0.25.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:23cbaae8bd7c8eb589b68c0a961dfb0d02007bea3165a3fc5efe2621d549b37b +size 2395579 diff --git a/opensc-CVE-2024-45615.patch b/opensc-CVE-2024-45615.patch new file mode 100644 index 0000000..d4618a0 --- /dev/null +++ b/opensc-CVE-2024-45615.patch @@ -0,0 +1,111 @@ +commit 5e4f26b510b04624386c54816bf26aacea0fe4a1 +Author: Veronika Hanulíková +Date: Thu Jul 11 14:58:25 2024 +0200 + + cac: Fix uninitialized values + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_card/1,fuzz_pkcs11/6 + +Index: opensc-0.25.1/src/libopensc/card-cac.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-cac.c ++++ opensc-0.25.1/src/libopensc/card-cac.c +@@ -252,7 +252,7 @@ static int cac_apdu_io(sc_card_t *card, + size_t * recvbuflen) + { + int r; +- sc_apdu_t apdu; ++ sc_apdu_t apdu = {0}; + u8 rbufinitbuf[CAC_MAX_SIZE]; + u8 *rbuf; + size_t rbuflen; +@@ -389,13 +389,13 @@ fail: + static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len) + { + u8 params[2]; +- u8 count[2]; ++ u8 count[2] = {0}; + u8 *out = NULL; +- u8 *out_ptr; ++ u8 *out_ptr = NULL; + size_t offset = 0; + size_t size = 0; + size_t left = 0; +- size_t len; ++ size_t len = 0; + int r; + + params[0] = file_type; +@@ -458,7 +458,7 @@ static int cac_read_binary(sc_card_t *ca + const u8 *tl_ptr, *val_ptr, *tl_start; + u8 *tlv_ptr; + const u8 *cert_ptr; +- size_t tl_len, val_len, tlv_len; ++ size_t tl_len = 0, val_len = 0, tlv_len; + size_t len, tl_head_len, cert_len; + u8 cert_type, tag; + +@@ -1519,7 +1519,7 @@ static int cac_parse_CCC(sc_card_t *card + static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth) + { + u8 *tl = NULL, *val = NULL; +- size_t tl_len, val_len; ++ size_t tl_len = 0, val_len = 0; + int r; + + if (depth > CAC_MAX_CCC_DEPTH) { +Index: opensc-0.25.1/src/libopensc/card-piv.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-piv.c ++++ opensc-0.25.1/src/libopensc/card-piv.c +@@ -4425,7 +4425,7 @@ static int piv_get_challenge(sc_card_t * + const u8 *p; + size_t out_len = 0; + int r; +- unsigned int tag_out, cla_out; ++ unsigned int tag_out = 0, cla_out = 0; + piv_private_data_t * priv = PIV_DATA(card); + + LOG_FUNC_CALLED(card->ctx); +Index: opensc-0.25.1/src/libopensc/pkcs15-cert.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/pkcs15-cert.c ++++ opensc-0.25.1/src/libopensc/pkcs15-cert.c +@@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_con + for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) { + const u8 *ava, *dummy, *oidp; + struct sc_object_id oid; +- size_t ava_len, dummy_len, oid_len; ++ size_t ava_len = 0, dummy_len, oid_len = 0; + + /* unwrap the set and point to the next ava */ + ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len); +Index: opensc-0.25.1/src/libopensc/pkcs15-sc-hsm.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/pkcs15-sc-hsm.c ++++ opensc-0.25.1/src/libopensc/pkcs15-sc-hsm.c +@@ -386,7 +386,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pk + struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE]; + struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE]; + struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE]; +- unsigned int cla,tag; ++ unsigned int cla = 0, tag = 0; + size_t taglen; + const u8 *tbuf; + int r; +Index: opensc-0.25.1/src/pkcs15init/profile.c +=================================================================== +--- opensc-0.25.1.orig/src/pkcs15init/profile.c ++++ opensc-0.25.1/src/pkcs15init/profile.c +@@ -1809,7 +1809,7 @@ do_pin_storedlength(struct state *cur, i + static int + do_pin_flags(struct state *cur, int argc, char **argv) + { +- unsigned int flags; ++ unsigned int flags = 0; + int i, r; + + if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN) diff --git a/opensc-CVE-2024-45616.patch b/opensc-CVE-2024-45616.patch new file mode 100644 index 0000000..0ab0318 --- /dev/null +++ b/opensc-CVE-2024-45616.patch @@ -0,0 +1,233 @@ +commit 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1 +Author: Veronika Hanulíková +Date: Thu Jul 11 15:27:19 2024 +0200 + + cardos: Fix uninitialized values + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_card/2 + +Index: opensc-0.25.1/src/libopensc/card-cardos.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-cardos.c ++++ opensc-0.25.1/src/libopensc/card-cardos.c +@@ -94,14 +94,14 @@ static void fixup_transceive_length(cons + + static int cardos_match_card(sc_card_t *card) + { +- unsigned char atr[SC_MAX_ATR_SIZE]; ++ unsigned char atr[SC_MAX_ATR_SIZE] = {0}; + int i; + + i = _sc_match_atr(card, cardos_atrs, &card->type); + if (i < 0) + return 0; + +- memcpy(atr, card->atr.value, sizeof(atr)); ++ memcpy(atr, card->atr.value, card->atr.len); + + /* Do not change card type for CIE! */ + if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1) +@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t * + return 1; + if (card->type == SC_CARD_TYPE_CARDOS_M4_2) { + int rv; +- sc_apdu_t apdu; +- u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; ++ sc_apdu_t apdu = {0}; ++ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0}; + /* first check some additional ATR bytes */ + if ((atr[4] != 0xff && atr[4] != 0x02) || + (atr[6] != 0x10 && atr[6] != 0x0a) || +@@ -131,7 +131,7 @@ static int cardos_match_card(sc_card_t * + apdu.lc = 0; + rv = sc_transmit_apdu(card, &apdu); + LOG_TEST_RET(card->ctx, rv, "APDU transmit failed"); +- if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) ++ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2) + return 0; + if (apdu.resp[0] != atr[10] || + apdu.resp[1] != atr[11]) +Index: opensc-0.25.1/src/libopensc/card-cac1.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-cac1.c ++++ opensc-0.25.1/src/libopensc/card-cac1.c +@@ -92,12 +92,12 @@ static int cac_cac1_get_certificate(sc_c + if (apdu.sw1 != 0x63 || apdu.sw2 < 1) { + /* we've either finished reading, or hit an error, break */ + r = sc_check_sw(card, apdu.sw1, apdu.sw2); +- left -= len; ++ left -= apdu.resplen; + break; + } + /* Adjust the lengths */ +- left -= len; +- out_ptr += len; ++ left -= apdu.resplen; ++ out_ptr += apdu.resplen; + len = MIN(left, apdu.sw2); + } + if (r < 0) { +Index: opensc-0.25.1/src/libopensc/card-oberthur.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-oberthur.c ++++ opensc-0.25.1/src/libopensc/card-oberthur.c +@@ -148,7 +148,7 @@ auth_select_aid(struct sc_card *card) + { + struct sc_apdu apdu; + unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE]; +- struct auth_private_data *data = (struct auth_private_data *) card->drv_data; ++ struct auth_private_data *data = (struct auth_private_data *)card->drv_data; + int rv, ii; + struct sc_path tmp_path; + +@@ -165,6 +165,9 @@ auth_select_aid(struct sc_card *card) + + rv = sc_transmit_apdu(card, &apdu); + LOG_TEST_RET(card->ctx, rv, "APDU transmit failed"); ++ if (apdu.resplen < 20) { ++ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length"); ++ } + card->serialnr.len = 4; + memcpy(card->serialnr.value, apdu.resp+15, 4); + +Index: opensc-0.25.1/src/libopensc/card-gids.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-gids.c ++++ opensc-0.25.1/src/libopensc/card-gids.c +@@ -231,6 +231,7 @@ static int gids_get_DO(sc_card_t* card, + size_t datasize = 0; + const u8* p; + u8 buffer[MAX_GIDS_FILE_SIZE]; ++ size_t buffer_len = sizeof(buffer); + + SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); + sc_log(card->ctx, +@@ -244,14 +245,15 @@ static int gids_get_DO(sc_card_t* card, + apdu.data = data; + apdu.datalen = 04; + apdu.resp = buffer; +- apdu.resplen = sizeof(buffer); ++ apdu.resplen = buffer_len; + apdu.le = 256; + + r = sc_transmit_apdu(card, &apdu); + LOG_TEST_RET(card->ctx, r, "gids get data failed"); + LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return"); ++ buffer_len = apdu.resplen; + +- p = sc_asn1_find_tag(card->ctx, buffer, sizeof(buffer), dataObjectIdentifier, &datasize); ++ p = sc_asn1_find_tag(card->ctx, buffer, buffer_len, dataObjectIdentifier, &datasize); + if (!p) { + LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND); + } +Index: opensc-0.25.1/src/libopensc/asn1.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/asn1.c ++++ opensc-0.25.1/src/libopensc/asn1.c +@@ -68,7 +68,7 @@ int sc_asn1_read_tag(const u8 ** buf, si + + *buf = NULL; + +- if (left == 0 || !p) ++ if (left == 0 || !p || buflen == 0) + return SC_ERROR_INVALID_ASN1_OBJECT; + if (*p == 0xff || *p == 0) { + /* end of data reached */ +@@ -83,6 +83,8 @@ int sc_asn1_read_tag(const u8 ** buf, si + */ + cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED); + tag = *p & SC_ASN1_TAG_PRIMITIVE; ++ if (left < 1) ++ return SC_ERROR_INVALID_ASN1_OBJECT; + p++; + left--; + if (tag == SC_ASN1_TAG_PRIMITIVE) { +Index: opensc-0.25.1/src/libopensc/card-dnie.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-dnie.c ++++ opensc-0.25.1/src/libopensc/card-dnie.c +@@ -1172,12 +1172,16 @@ static int dnie_compose_and_send_apdu(sc + + if (file_out) { + /* finally process FCI response */ ++ size_t len = apdu.resp[1]; + sc_file_free(*file_out); + *file_out = sc_file_new(); + if (*file_out == NULL) { + LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); + } +- res = card->ops->process_fci(card, *file_out, apdu.resp + 2, apdu.resp[1]); ++ if (apdu.resplen - 2 < len || len < 1) { ++ LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); ++ } ++ res = card->ops->process_fci(card, *file_out, apdu.resp + 2, len); + } + LOG_FUNC_RETURN(ctx, res); + } +@@ -1935,7 +1939,7 @@ static int dnie_process_fci(struct sc_ca + int *op = df_acl; + int n = 0; + sc_context_t *ctx = NULL; +- if ((card == NULL) || (card->ctx == NULL) || (file == NULL)) ++ if ((card == NULL) || (card->ctx == NULL) || (file == NULL) || buflen == 0) + return SC_ERROR_INVALID_ARGUMENTS; + ctx = card->ctx; + LOG_FUNC_CALLED(ctx); +Index: opensc-0.25.1/src/libopensc/muscle.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/muscle.c ++++ opensc-0.25.1/src/libopensc/muscle.c +@@ -111,13 +111,15 @@ int sc_partial_read_object(sc_card_t *c + + int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength) + { +- int r; ++ int r = 0; + unsigned int i; + size_t max_read_unit = MSC_MAX_READ; + +- for(i = 0; i < dataLength; i += max_read_unit) { ++ for(i = 0; i < dataLength; i += r) { + r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit)); + LOG_TEST_RET(card->ctx, r, "Error in partial object read"); ++ if (r == 0) ++ break; + } + return (int)dataLength; + } +@@ -154,7 +156,7 @@ int msc_create_object(sc_card_t *card, m + ushort2bebytes(buffer + 12, deleteAcl); + r = sc_transmit_apdu(card, &apdu); + LOG_TEST_RET(card->ctx, r, "APDU transmit failed"); +- if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00) ++ if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00) + return (int)objectSize; + if(apdu.sw1 == 0x9C) { + if(apdu.sw2 == 0x01) { +@@ -170,7 +172,7 @@ int msc_create_object(sc_card_t *card, m + apdu.sw1, apdu.sw2); + } + msc_zero_object(card, objectId, objectSize); +- return (int)objectSize; ++ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED); + } + + /* Update up to MSC_MAX_READ - 9 bytes */ +Index: opensc-0.25.1/src/libopensc/card-entersafe.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-entersafe.c ++++ opensc-0.25.1/src/libopensc/card-entersafe.c +@@ -1479,7 +1479,9 @@ static int entersafe_get_serialnr(sc_car + r=entersafe_transmit_apdu(card, &apdu,0,0,0,0); + LOG_TEST_RET(card->ctx, r, "APDU transmit failed"); + LOG_TEST_RET(card->ctx, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed"); +- ++ if (apdu.resplen != 8) ++ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN"); ++ + card->serialnr.len=serial->len=8; + memcpy(card->serialnr.value,rbuf,8); + memcpy(serial->value,rbuf,8); diff --git a/opensc-CVE-2024-45617.patch b/opensc-CVE-2024-45617.patch new file mode 100644 index 0000000..e26ed55 --- /dev/null +++ b/opensc-CVE-2024-45617.patch @@ -0,0 +1,55 @@ +commit fdb9e903eb124b6b18a5a9350a26eceb775585bc +Author: Veronika Hanulíková +Date: Tue Jul 16 14:05:36 2024 +0200 + + cac: Check return value when selecting AID + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_pkcs11/14 + +Index: opensc-0.22.0/src/libopensc/card-cac.c +=================================================================== +--- opensc-0.22.0.orig/src/libopensc/card-cac.c ++++ opensc-0.22.0/src/libopensc/card-cac.c +@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card + /* Call without OID set will just select the AID without subsequent + * OID selection, which we need to figure out just now + */ +- cac_select_file_by_type(card, &new_object.path, NULL); ++ r = cac_select_file_by_type(card, &new_object.path, NULL); ++ LOG_TEST_RET(card->ctx, r, "Cannot select AID"); + r = cac_get_properties(card, &prop); +- if (r < 0) +- return SC_ERROR_INTERNAL; ++ LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties"); + + for (i = 0; i < prop.num_objects; i++) { + /* don't fail just because we have more certs than we can support */ +Index: opensc-0.22.0/src/libopensc/card-cardos.c +=================================================================== +--- opensc-0.22.0.orig/src/libopensc/card-cardos.c ++++ opensc-0.22.0/src/libopensc/card-cardos.c +@@ -1277,7 +1277,7 @@ cardos_lifecycle_get(sc_card_t *card, in + LOG_TEST_RET(card->ctx, r, "Card returned error"); + + if (apdu.resplen < 1) { +- LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response"); ++ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response"); + } + + r = SC_SUCCESS; +Index: opensc-0.22.0/src/libopensc/card-jpki.c +=================================================================== +--- opensc-0.22.0.orig/src/libopensc/card-jpki.c ++++ opensc-0.22.0/src/libopensc/card-jpki.c +@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card, + u8 buf[4]; + rc = sc_read_binary(card, 0, buf, 4, 0); + LOG_TEST_RET(card->ctx, rc, "SW Check failed"); ++ if (rc < 4) ++ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short"); + file = sc_file_new(); + if (!file) { + LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY); diff --git a/opensc-CVE-2024-45618.patch b/opensc-CVE-2024-45618.patch new file mode 100644 index 0000000..afa697d --- /dev/null +++ b/opensc-CVE-2024-45618.patch @@ -0,0 +1,67 @@ +commit 8632ec172beda894581d67eaa991e519a7874f7d +Author: Veronika Hanulíková +Date: Wed Jul 17 11:18:52 2024 +0200 + + pkcs15-tcos: Check return value of serial num conversion + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_pkcs15_encode/21 + +diff --git a/src/libopensc/pkcs15-tcos.c b/src/libopensc/pkcs15-tcos.c +index 4d02a98ee..2bd275c4f 100644 +--- a/src/libopensc/pkcs15-tcos.c ++++ b/src/libopensc/pkcs15-tcos.c +@@ -531,10 +531,15 @@ int sc_pkcs15emu_tcos_init_ex( + /* get the card serial number */ + r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr); + if (r < 0) { +- sc_log(ctx, "unable to get ICCSN\n"); ++ sc_log(ctx, "unable to get ICCSN"); + return SC_ERROR_WRONG_CARD; + } +- sc_bin_to_hex(serialnr.value, serialnr.len , serial, sizeof(serial), 0); ++ r = sc_bin_to_hex(serialnr.value, serialnr.len, serial, sizeof(serial), 0); ++ if (r != SC_SUCCESS) { ++ sc_log(ctx, "serial number invalid"); ++ return SC_ERROR_INTERNAL; ++ } ++ + serial[19] = '\0'; + set_string(&p15card->tokeninfo->serial_number, serial); + + +commit f9d68660f032ad4d7803431d5fc7577ea8792ac3 +Author: Veronika Hanulíková +Date: Wed Jul 17 14:56:22 2024 +0200 + + pkcs15-lib: Report transport key error + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_pkcs15init/17, fuzz_pkcs15init/18 + +diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c +index 6574e8025..943d53e98 100644 +--- a/src/pkcs15init/pkcs15-lib.c ++++ b/src/pkcs15init/pkcs15-lib.c +@@ -3831,13 +3831,15 @@ sc_pkcs15init_get_transport_key(struct sc_profile *profile, struct sc_pkcs15_car + if (callbacks.get_key) { + rv = callbacks.get_key(profile, type, reference, defbuf, defsize, pinbuf, pinsize); + LOG_TEST_RET(ctx, rv, "Cannot get key"); +- } +- else if (rv >= 0) { ++ } else if (rv >= 0) { + if (*pinsize < defsize) + LOG_TEST_RET(ctx, SC_ERROR_BUFFER_TOO_SMALL, "Get transport key error"); + + memcpy(pinbuf, data.key_data, data.len); + *pinsize = data.len; ++ } else { ++ /* pinbuf and pinsize were not filled */ ++ LOG_TEST_RET(ctx, SC_ERROR_INTERNAL, "Get transport key error"); + } + + memset(&auth_info, 0, sizeof(auth_info)); diff --git a/opensc-CVE-2024-45619.patch b/opensc-CVE-2024-45619.patch new file mode 100644 index 0000000..1fbd32c --- /dev/null +++ b/opensc-CVE-2024-45619.patch @@ -0,0 +1,212 @@ +commit f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d +Author: Veronika Hanulíková +Date: Tue Jul 16 14:22:02 2024 +0200 + + pkcs15-tcos: Check number of read bytes for cert + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_pkcs11/15 + +Index: opensc-0.25.1/src/libopensc/pkcs15-tcos.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/pkcs15-tcos.c ++++ opensc-0.25.1/src/libopensc/pkcs15-tcos.c +@@ -45,6 +45,7 @@ static int insert_cert( + struct sc_pkcs15_cert_info cert_info; + struct sc_pkcs15_object cert_obj; + unsigned char cert[20]; ++ size_t cert_len = 0; + int r; + + memset(&cert_info, 0, sizeof(cert_info)); +@@ -57,24 +58,31 @@ static int insert_cert( + strlcpy(cert_obj.label, label, sizeof(cert_obj.label)); + cert_obj.flags = writable ? SC_PKCS15_CO_FLAG_MODIFIABLE : 0; + +- if(sc_select_file(card, &cert_info.path, NULL)!=SC_SUCCESS){ +- sc_log(ctx, +- "Select(%s) failed\n", path); ++ if (sc_select_file(card, &cert_info.path, NULL) != SC_SUCCESS) { ++ sc_log(ctx, "Select(%s) failed", path); + return 1; + } +- if(sc_read_binary(card, 0, cert, sizeof(cert), 0)<0){ +- sc_log(ctx, +- "ReadBinary(%s) failed\n", path); ++ r = sc_read_binary(card, 0, cert, sizeof(cert), 0); ++ if (r <= 0) { ++ sc_log(ctx, "ReadBinary(%s) failed\n", path); + return 2; + } +- if(cert[0]!=0x30 || cert[1]!=0x82){ +- sc_log(ctx, +- "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]); ++ cert_len = r; /* actual number of read bytes */ ++ if (cert_len < 7 || (size_t)(7 + cert[5]) > cert_len) { ++ sc_log(ctx, "Invalid certificate length"); ++ return 3; ++ } ++ if (cert[0] != 0x30 || cert[1] != 0x82) { ++ sc_log(ctx, "Invalid Cert: %02X:%02X:...\n", cert[0], cert[1]); + return 3; + } + + /* some certificates are prefixed by an OID */ +- if(cert[4]==0x06 && cert[5]<10 && cert[6+cert[5]]==0x30 && cert[7+cert[5]]==0x82){ ++ if (cert[4] == 0x06 && cert[5] < 10 && cert[6 + cert[5]] == 0x30 && cert[7 + cert[5]] == 0x82) { ++ if ((size_t)(9 + cert[5]) > cert_len) { ++ sc_log(ctx, "Invalid certificate length"); ++ return 3; ++ } + cert_info.path.index=6+cert[5]; + cert_info.path.count=(cert[8+cert[5]]<<8) + cert[9+cert[5]] + 4; + } else { +@@ -82,12 +90,12 @@ static int insert_cert( + cert_info.path.count=(cert[2]<<8) + cert[3] + 4; + } + +- r=sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info); +- if(r!=SC_SUCCESS){ +- sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed\n", path); ++ r = sc_pkcs15emu_add_x509_cert(p15card, &cert_obj, &cert_info); ++ if (r != SC_SUCCESS) { ++ sc_log(ctx, "sc_pkcs15emu_add_x509_cert(%s) failed", path); + return 4; + } +- sc_log(ctx, "%s: OK, Index=%d, Count=%d\n", path, cert_info.path.index, cert_info.path.count); ++ sc_log(ctx, "%s: OK, Index=%d, Count=%d", path, cert_info.path.index, cert_info.path.count); + return 0; + } + +Index: opensc-0.25.1/src/libopensc/pkcs15-gemsafeV1.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/pkcs15-gemsafeV1.c ++++ opensc-0.25.1/src/libopensc/pkcs15-gemsafeV1.c +@@ -169,6 +169,7 @@ static int gemsafe_get_cert_len(sc_card_ + size_t objlen; + int certlen; + unsigned int ind, i=0; ++ int read_len; + + sc_format_path(GEMSAFE_PATH, &path); + r = sc_select_file(card, &path, &file); +@@ -177,9 +178,11 @@ static int gemsafe_get_cert_len(sc_card_ + sc_file_free(file); + + /* Initial read */ +- r = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0); +- if (r < 0) ++ read_len = sc_read_binary(card, 0, ibuf, GEMSAFE_READ_QUANTUM, 0); ++ if (read_len <= 2) { ++ sc_log(card->ctx, "Invalid size of object data: %d", read_len); + return SC_ERROR_INTERNAL; ++ } + + /* Actual stored object size is encoded in first 2 bytes + * (allocated EF space is much greater!) +@@ -208,7 +211,7 @@ static int gemsafe_get_cert_len(sc_card_ + * the private key. + */ + ind = 2; /* skip length */ +- while (ibuf[ind] == 0x01 && i < gemsafe_cert_max) { ++ while (ind + 1 < (size_t)read_len && ibuf[ind] == 0x01 && i < gemsafe_cert_max) { + if (ibuf[ind+1] == 0xFE) { + gemsafe_prkeys[i].ref = ibuf[ind+4]; + sc_log(card->ctx, "Key container %d is allocated and uses key_ref %d", +@@ -235,7 +238,7 @@ static int gemsafe_get_cert_len(sc_card_ + /* Read entire file, then dissect in memory. + * Gemalto ClassicClient seems to do it the same way. + */ +- iptr = ibuf + GEMSAFE_READ_QUANTUM; ++ iptr = ibuf + read_len; + while ((size_t)(iptr - ibuf) < objlen) { + r = sc_read_binary(card, (unsigned)(iptr - ibuf), iptr, + MIN(GEMSAFE_READ_QUANTUM, objlen - (iptr - ibuf)), 0); +@@ -243,7 +246,14 @@ static int gemsafe_get_cert_len(sc_card_ + sc_log(card->ctx, "Could not read cert object"); + return SC_ERROR_INTERNAL; + } +- iptr += GEMSAFE_READ_QUANTUM; ++ if (r == 0) ++ break; ++ read_len += r; ++ iptr += r; ++ } ++ if ((size_t)read_len < objlen) { ++ sc_log(card->ctx, "Could not read cert object"); ++ return SC_ERROR_INTERNAL; + } + + /* Search buffer for certificates, they start with 0x3082. */ +Index: opensc-0.25.1/src/pkcs15init/pkcs15-setcos.c +=================================================================== +--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-setcos.c ++++ opensc-0.25.1/src/pkcs15init/pkcs15-setcos.c +@@ -507,6 +507,9 @@ setcos_generate_key(struct sc_profile *p + r = sc_card_ctl(p15card->card, SC_CARDCTL_SETCOS_GETDATA, &data_obj); + LOG_TEST_RET(ctx, r, "Cannot get key modulus: 'SETCOS_GETDATA' failed"); + ++ if (data_obj.DataLen < 3 || data_obj.DataLen < pubkey->u.rsa.modulus.len) ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Cannot get key modulus: wrong length of raw key"); ++ + keybits = ((raw_pubkey[0] * 256) + raw_pubkey[1]); /* modulus bit length */ + if (keybits != key_info->modulus_length) { + sc_log(ctx, +Index: opensc-0.25.1/src/pkcs15init/pkcs15-sc-hsm.c +=================================================================== +--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-sc-hsm.c ++++ opensc-0.25.1/src/pkcs15init/pkcs15-sc-hsm.c +@@ -140,7 +140,7 @@ static int sc_hsm_determine_free_id(stru + LOG_TEST_RET(card->ctx, filelistlength, "Could not enumerate file and key identifier"); + + for (j = 0; j < 256; j++) { +- for (i = 0; i < filelistlength; i += 2) { ++ for (i = 0; i + 1 < filelistlength; i += 2) { + if ((filelist[i] == range) && (filelist[i + 1] == j)) { + break; + } +Index: opensc-0.25.1/src/libopensc/card-coolkey.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/card-coolkey.c ++++ opensc-0.25.1/src/libopensc/card-coolkey.c +@@ -1697,6 +1697,7 @@ static int coolkey_rsa_op(sc_card_t *car + u8 key_number; + size_t params_len; + u8 buf[MAX_COMPUTE_BUF + 2]; ++ size_t buf_len; + u8 *buf_out; + + SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE); +@@ -1737,8 +1738,6 @@ static int coolkey_rsa_op(sc_card_t *car + ushort2bebytes(params.init.buf_len, 0); + } else { + /* The data fits in APDU. Copy it to the params object */ +- size_t buf_len; +- + params.init.location = COOLKEY_CRYPT_LOCATION_APDU; + + params_len = sizeof(params.init) + datalen; +@@ -1758,6 +1757,7 @@ static int coolkey_rsa_op(sc_card_t *car + if (r < 0) { + goto done; + } ++ buf_len = crypt_out_len_p; + + if (datalen > MAX_COMPUTE_BUF) { + u8 len_buf[2]; +@@ -1776,7 +1776,12 @@ static int coolkey_rsa_op(sc_card_t *car + priv->nonce, sizeof(priv->nonce)); + + } else { +- size_t out_length = bebytes2ushort(buf); ++ size_t out_length; ++ if (buf_len < 2) { ++ r = SC_ERROR_WRONG_LENGTH; ++ goto done; ++ } ++ out_length = bebytes2ushort(buf); + if (out_length > sizeof buf - 2) { + r = SC_ERROR_WRONG_LENGTH; + goto done; diff --git a/opensc-CVE-2024-45620.patch b/opensc-CVE-2024-45620.patch new file mode 100644 index 0000000..e03d770 --- /dev/null +++ b/opensc-CVE-2024-45620.patch @@ -0,0 +1,73 @@ +commit a1bcc6516f43d570899820d259b71c53f8049168 +Author: Veronika Hanulíková +Date: Thu Jul 18 09:23:20 2024 +0200 + + pkcs15-starcos: Check length of file to be non-zero + + Thanks Matteo Marini for report + https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 + + fuzz_pkcs15init/20 + +Index: opensc-0.25.1/src/pkcs15init/pkcs15-starcos.c +=================================================================== +--- opensc-0.25.1.orig/src/pkcs15init/pkcs15-starcos.c ++++ opensc-0.25.1/src/pkcs15init/pkcs15-starcos.c +@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profil + return r; + len = tfile->size; + sc_file_free(tfile); ++ if (len == 0) ++ return SC_ERROR_INTERNAL; + buf = malloc(len); + if (!buf) + return SC_ERROR_OUT_OF_MEMORY; +@@ -684,7 +686,7 @@ static int starcos_write_pukey(sc_profil + if (num_keys == 0xff) + num_keys = 0; + /* encode public key */ +- keylen = starcos_encode_pukey(rsa, NULL, kinfo); ++ keylen = starcos_encode_pukey(rsa, NULL, kinfo); + if (!keylen) { + free(buf); + return SC_ERROR_INTERNAL; +Index: opensc-0.25.1/src/libopensc/iasecc-sdo.c +=================================================================== +--- opensc-0.25.1.orig/src/libopensc/iasecc-sdo.c ++++ opensc-0.25.1/src/libopensc/iasecc-sdo.c +@@ -318,16 +318,26 @@ iasecc_se_parse(struct sc_card *card, un + + LOG_FUNC_CALLED(ctx); + ++ if (data_len < 1) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ + if (*data == IASECC_SDO_TEMPLATE_TAG) { + size_size = iasecc_parse_size(data + 1, data_len - 1, &size); + LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE"); + ++ if (data_len - 1 < size) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ ++ + data += size_size + 1; + data_len = size; + sc_log(ctx, + "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %d", + size, size_size); + ++ if (data_len < 3) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); ++ + if (*data != IASECC_SDO_TAG_HEADER) + LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); + +@@ -759,6 +769,8 @@ iasecc_sdo_parse(struct sc_card *card, u + int rv; + + LOG_FUNC_CALLED(ctx); ++ if (data == NULL || data_len < 2) ++ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA); + + if (*data == IASECC_SDO_TEMPLATE_TAG) { + size_size = iasecc_parse_size(data + 1, data_len - 1, &size); diff --git a/opensc-CVE-2024-8443.patch b/opensc-CVE-2024-8443.patch new file mode 100644 index 0000000..61c770f --- /dev/null +++ b/opensc-CVE-2024-8443.patch @@ -0,0 +1,78 @@ +commit b28a3cef416fcfb92fbb9ea7fd3c71df52c6c9fc +Author: Jakub Jelen +Date: Mon Aug 12 19:02:14 2024 +0200 + + openpgp: Do not accept non-matching key responses + + When generating RSA key pair using PKCS#15 init, the driver could accept + responses relevant to ECC keys, which made further processing in the + pkcs15-init failing/accessing invalid parts of structures. + + Thanks oss-fuzz! + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=71010 + + Signed-off-by: Jakub Jelen + +Index: opensc-0.22.0/src/libopensc/card-openpgp.c +=================================================================== +--- opensc-0.22.0.orig/src/libopensc/card-openpgp.c ++++ opensc-0.22.0/src/libopensc/card-openpgp.c +@@ -2657,14 +2657,21 @@ pgp_calculate_and_store_fingerprint(sc_c + /* update the blob containing fingerprints (00C5) */ + sc_log(card->ctx, "Updating fingerprint blob 00C5."); + fpseq_blob = pgp_find_blob(card, 0x00C5); +- if (fpseq_blob == NULL) +- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5"); ++ if (fpseq_blob == NULL) { ++ r = SC_ERROR_OUT_OF_MEMORY; ++ LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5"); ++ } ++ if (20 * key_info->key_id > fpseq_blob->len) { ++ r = SC_ERROR_OBJECT_NOT_VALID; ++ LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough"); ++ } + + /* save the fingerprints sequence */ + newdata = malloc(fpseq_blob->len); +- if (newdata == NULL) +- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, +- "Not enough memory to update fingerprint blob 00C5"); ++ if (newdata == NULL) { ++ r = SC_ERROR_OUT_OF_MEMORY; ++ LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5"); ++ } + + memcpy(newdata, fpseq_blob->data, fpseq_blob->len); + /* move p to the portion holding the fingerprint of the current key */ +@@ -2778,6 +2785,9 @@ pgp_parse_and_set_pubkey_output(sc_card_ + + /* RSA modulus */ + if (tag == 0x0081) { ++ if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) { ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); ++ } + if ((BYTES4BITS(key_info->u.rsa.modulus_len) < len) /* modulus_len is in bits */ + || key_info->u.rsa.modulus == NULL) { + +@@ -2793,6 +2803,9 @@ pgp_parse_and_set_pubkey_output(sc_card_ + } + /* RSA public exponent */ + else if (tag == 0x0082) { ++ if (key_info->algorithm != SC_OPENPGP_KEYALGO_RSA) { ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); ++ } + if ((BYTES4BITS(key_info->u.rsa.exponent_len) < len) /* exponent_len is in bits */ + || key_info->u.rsa.exponent == NULL) { + +@@ -2808,6 +2821,10 @@ pgp_parse_and_set_pubkey_output(sc_card_ + } + /* ECC public key */ + else if (tag == 0x0086) { ++ if (key_info->algorithm != SC_OPENPGP_KEYALGO_ECDSA && ++ key_info->algorithm != SC_OPENPGP_KEYALGO_ECDH) { ++ LOG_FUNC_RETURN(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED); ++ } + /* set the output data */ + /* len is ecpoint length + format byte + * see section 7.2.14 of 3.3.1 specs */ diff --git a/opensc-docbook-xsl-fix.patch b/opensc-docbook-xsl-fix.patch new file mode 100644 index 0000000..e6d4f7c --- /dev/null +++ b/opensc-docbook-xsl-fix.patch @@ -0,0 +1,13 @@ +diff --git a/doc/html.xsl b/doc/html.xsl +index 665d45f..734fa98 100644 +--- a/doc/html.xsl ++++ b/doc/html.xsl +@@ -3,7 +3,7 @@ + + ]> + +- ++ + + + diff --git a/opensc-gcc11.patch b/opensc-gcc11.patch new file mode 100644 index 0000000..3462350 --- /dev/null +++ b/opensc-gcc11.patch @@ -0,0 +1,31 @@ +diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c +index 41e620a..57f8a79 100644 +--- a/src/tools/opensc-explorer.c ++++ b/src/tools/opensc-explorer.c +@@ -1839,6 +1839,12 @@ static int do_apdu(int argc, char **argv) + if (argc < 1) + return usage(do_apdu); + ++ /* gcc-11 complains about BUF potentially being used without being ++ initialized. I can't convince myself that the calls to ++ parse_string_or_hexdata will fully initialize it, so we just ++ initialize it here. */ ++ memset (buf, 0, sizeof (buf)); ++ + /* loop over the args and parse them, making sure the result fits into buf[] */ + for (i = 0, len = 0; i < (unsigned) argc && len < sizeof(buf); i++) { + size_t len0 = sizeof(buf) - len; +commit 1680b3a1fb15319e41dbe3214ef8c4a4c215d529 +Author: Jakub Jelen +Date: Tue Feb 23 19:57:02 2021 +0100 + + Fix build on gcc11 + + This made most of the applications crashing in Fedora 34 when + smart card was plugged in. + + The suggested patch makes the code path more obvious for gcc to + handle. + + https://bugzilla.redhat.com/show_bug.cgi?id=1930652 + diff --git a/opensc-rpmlintrc b/opensc-rpmlintrc new file mode 100644 index 0000000..916ca6a --- /dev/null +++ b/opensc-rpmlintrc @@ -0,0 +1,3 @@ +# There is no devel package any more. +addFilter("obsolete-not-provided") +addFilter("devel-file-in-non-devel-package") diff --git a/opensc.changes b/opensc.changes new file mode 100644 index 0000000..1b68dc3 --- /dev/null +++ b/opensc.changes @@ -0,0 +1,981 @@ +------------------------------------------------------------------- +Tue Oct 1 06:30:06 UTC 2024 - Angel Yankov + +- - Security fix: [CVE-2024-8443, bsc#1230364] + * opensc: heap buffer overflow in OpenPGP driver when generating key + * Added patch: opensc-CVE-2024-8443.patch + +------------------------------------------------------------------- +Tue Oct 1 06:27:05 UTC 2024 - Angel Yankov + +- Security fix: [opensc-CVE-2024-45620, bsc#1230076] +- Security fix: [opensc-CVE-2024-45619, bsc#1230075] +- Security fix: [opensc-CVE-2024-45618, bsc#1230074] +- Security fix: [opensc-CVE-2024-45617, bsc#1230073] +- Security fix: [opensc-CVE-2024-45616, bsc#1230072] +- Security fix: [opensc-CVE-2024-45615, bsc#1230071] + * opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init + * opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc + * opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc + * opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init + * opensc: Incorrect handling length of buffers or files in libopensc + * opensc: Incorrect handling of the length of buffers or files in pkcs15init + * Added patches: + - opensc-CVE-2024-45615.patch + - opensc-CVE-2024-45616.patch + - opensc-CVE-2024-45617.patch + - opensc-CVE-2024-45618.patch + - opensc-CVE-2024-45619.patch + - opensc-CVE-2024-45620.patch + +------------------------------------------------------------------- +Fri Apr 5 18:54:38 UTC 2024 - Martin Hauke + +- Update to verion 0.25.1 + General improvements + * Add missing file to dist tarball to build documentation. + minidriver + * Fix RSA decryption with PKCS#1 v1.5 padding. + * Fix crash when app is not set. + +------------------------------------------------------------------- +Wed Mar 13 21:56:31 UTC 2024 - Martin Hauke + +- Build with support for libeac (OpenPACE) + +------------------------------------------------------------------- +Sat Mar 9 12:06:03 UTC 2024 - Martin Hauke + +- Update to version 0.25.0 + Security + * CVE-2023-5992: Fix Side-channel leaks while stripping + encryption PKCS#1.5 padding in OpenSC. + * CVE-2024-1454: Fix Potential use-after-free in AuthentIC driver + during card enrollment in pkcs15init. + General improvements + * Remove support for old card drivers Akis, GPK, Incrypto34 and + Westcos, disable Cyberflex driver. + * Fix 64b to 32b conversions. + * Improvements for the p11test. + * Fix reader initialization without SCardControl. + * Make RSA PKCS#1 v1.5 depadding constant-time. + * Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02) + on the card. + * Fixed various issues reported by OSS-Fuzz and Coverity in + drivers, PKCS#11 and PKCS#15 layer. +- Add patch: + * opensc-docbook-xsl-fix.patch +- Drop not longer needed patches: + * CVE-2024-1454.patch +- Introduce subpackage for bash-completion + +------------------------------------------------------------------- +Sun Feb 25 20:35:05 UTC 2024 - Martin Schreiner + +- Add CVE-2024-1454.patch. + Fix for CVE-2024-1454 / bsc#1219868. + +------------------------------------------------------------------- +Wed Dec 13 12:27:34 UTC 2023 - Otto Hollmann + +- Update to OpenSC 0.24.0: + * Security + - CVE-2023-40660: Fix Potential PIN bypass + (#2806, frankmorgner/OpenSCToken#50, #2807) + - CVE-2023-40661: Important dynamic analyzers reports + - CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption + using symmetric keys (f1993dc) + * General improvements + - Fix compatibility of EAC with OpenSSL 3.0 (#2674) + - Enable use_file_cache by default (#2501) + - Use custom libctx with OpenSSL >= 3.0 (#2712, #2715) + - Fix record-based files (#2604) + - Fix several race conditions (#2735) + - Run tests under Valgrind (#2756) + - Test signing of data bigger than 512 bytes (#2789) + - Update to OpenPACE 1.1.3 (#2796) + - Implement logout for some of the card drivers (#2807) + - Fix wrong popup position of opensc-notify (#2901) + - Fixed various issues reported by OSS-Fuzz and Coverity regarding card + drivers, PKCS#11 and PKCS#15 init + * PKCS#11 + - Check card presence state in C_GetSessionInfo (#2740) + - Remove onepin-opensc-pkcs11 module (#2681) + - Do not use colons in the token info label (#2760) + - Present profile objects in all slots with the CKA_TOKEN attribute to + resolve issues with NSS (#2928, #2924) + - Use secure memory for PUK (#2906) + - Don't logout to preserve concurrent access from different processes + (#2907) + - Add more examples to manual page (#2936) + - Present profile objects in all virtual slots (#2928) + - Provide CKA_TOKEN attribute for profile objects (#2924) + - Improve --slot parameter documentation (#2951) + * PKCS#15 + - Honor cache offsets when writing file cache (#2858) + - Prevent needless amount of PIN prompts from pkcs15init layer (#2916) + - Propagate CKA_EXTRACTABLE and SC_PKCS15_PRKEY_ACCESS_SENSITIVE from and + back to PKCS#11 (#2936) + * Minidriver + - Fix for private keys that do not need a PIN (#2722) + - Unbreak decipher when the first null byte of PKCS#1.5 padding is + missing (#2939* + * pkcs11-tool + - Fix RSA key import with OpenSSL 3.0 (#2656) + - Add support for attribute filtering when listing objects (#2687) + - Add support for --private flag when writing certificates (#2768) + - Add support for non-AEAD ciphers to the test mode (#2780) + - Show CKA_SIGN attribute for secret keys (#2862) + - Do not attempt to read CKA_ALWAYS_AUTHENTICATE on secret keys + (#2864, #2913) + - Show Sign/VerifyRecover attributes (#2888) + - Add option to import generic keys (#2955) + * westcos-tool + - Generate 2k RSA keys by default (b53fc5c) + * pkcs11-register + - Disable autostart on Linux by default (#2680) + * IDPrime + - Add support for IDPrime MD 830, 930 and 940 (#2666) + - Add support for SafeNet eToken 5110 token (#2812) + - Process index even without keyrefmap and use correct label for second + PIN (#2878) + - Add support for Gemalto IDPrime 940C (#2941) + * EPass2003 + - Change of PIN requires verification of the PIN (#2759) + - Fix incorrect CMAC computation for subkeys (#2759, issue #2734) + - Use true random number for mutual authentication for SM (#2766) + - Add verification of data coming from the token in the secure messaging + mode (#2772) + - Avoid success when using unsupported digest and fix data length for RAW + ECDSA signatures (#2845) + * OpenPGP + - Fix select data command (#2753, issue #2752) + - Unbreak ed/curve25519 support (#2892) + * eOI + - Add support for Slovenian eID card (eOI) (#2646) + * Italian CNS + - Add support for IDEMIA (Oberthur) tokens (#2483) + * PIV + - Add support for Swissbit iShield FIDO2 Authenticator (#2671) + - Implement PIV secure messaging (#2053) + * SkeID + - Add support for Slovak eID cards (#2672) + * isoApplet + - Support ECDSA with off-card hashing (#2642) + * MyEID + - Fix WRAP operation when using T0 (#2695) + - Identify changes on the card and enable use_file_cache (#2798) + - Workaround for unwrapping using 2K RSA key (#2921) + * SC-HSM + - Add support for opensc-tool --serial (#2675) + - Fix unwrapping of 4096 keys with handling reader limits (#2682) + - Indicate supported hashes and MGF1s (#2827) +- Remove patches: + * opensc-CVE-2023-40660-1of2.patch + * opensc-CVE-2023-40660-2of2.patch + * opensc-CVE-2023-40661-1of12.patch + * opensc-CVE-2023-40661-2of12.patch + * opensc-CVE-2023-40661-3of12.patch + * opensc-CVE-2023-40661-4of12.patch + * opensc-CVE-2023-40661-5of12.patch + * opensc-CVE-2023-40661-6of12.patch + * opensc-CVE-2023-40661-7of12.patch + * opensc-CVE-2023-40661-8of12.patch + * opensc-CVE-2023-40661-9of12.patch + * opensc-CVE-2023-40661-10of12.patch + * opensc-CVE-2023-40661-11of12.patch + * opensc-CVE-2023-40661-12of12.patch + * opensc-CVE-2023-4535.patch + * opensc-CVE-2023-2977.patch + * opensc-NULL_pointer_fix.patch + +------------------------------------------------------------------- +Fri Oct 6 06:49:24 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-40661, bsc#1215761] + * opensc: multiple memory issues with pkcs15-init (enrollment tool) + * Add patches: + - opensc-CVE-2023-40661-1of12.patch + - opensc-CVE-2023-40661-2of12.patch + - opensc-CVE-2023-40661-3of12.patch + - opensc-CVE-2023-40661-4of12.patch + - opensc-CVE-2023-40661-5of12.patch + - opensc-CVE-2023-40661-6of12.patch + - opensc-CVE-2023-40661-7of12.patch + - opensc-CVE-2023-40661-8of12.patch + - opensc-CVE-2023-40661-9of12.patch + - opensc-CVE-2023-40661-10of12.patch + - opensc-CVE-2023-40661-11of12.patch + - opensc-CVE-2023-40661-12of12.patch + +------------------------------------------------------------------- +Thu Oct 5 13:45:16 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-4535, bsc#1215763] + * Add patches: + - opensc-CVE-2023-4535.patch + - opensc-NULL_pointer_fix.patch + +------------------------------------------------------------------- +Wed Oct 4 13:26:11 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-40660, bsc#1215762] + * opensc: PIN bypass when card tracks its own login state + * Add patches: + - opensc-CVE-2023-40660-1of2.patch + - opensc-CVE-2023-40660-2of2.patch + +------------------------------------------------------------------- +Thu Jun 1 12:55:19 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-2977, bsc#1211894] + * opensc: out of bounds read in pkcs15 cardos_have_verifyrc_package() + * Add opensc-CVE-2023-2977.patch + +------------------------------------------------------------------- +Tue Nov 29 17:52:46 UTC 2022 - Michael Ströder + +- Update to OpenSC 0.23.0: + * General improvements + - Support signing of data with a length of more than 512 bytes (#2314) + - By default, disable support for old card drivers (#2391) and remove + support for old drivers MioCOS and JCOP (#2374) + - Bump minimal required OpenSSL version to 1.1.1 and add support for OpenSSL 3.0 (#2438, #2506) + - Compatibility with LibreSSL (#2495, #2595) + - Remove support for DSA (#2503) + - Extend p11test to support symmetric keys (#2430) + - Notice detached reader on macOS (#2418) + - Support for OAEP padding (#2475, #2484) + - Fix for PSS salt length (#2478) + - Improve fuzzing by adding new tests (#2417, #2500, #2520, #2550, #2637) + - Fixed various issues reported by OSS-Fuzz and Coverity regarding + card drivers, PKCS#11 and PKCS#15 init + - Fix issues with OpenPACE (#2472) + - Containers support for local testing + - Add support for encryption and decryption using symmetric keys (#2473, #2607) + - Stop building support for Gost algorithms with OpenSSL 3.0 as they + require deprecated API (#2586) + - Fix detection of disconnected readers in PCSC (#2600) + - Add configuration option for on-disk caching of private data (#2588) + - Skip building empty binaries when dependencies are missing and + remove needless linking (#2617) + - Define arm64 as a supported architecture in the Installer package (#2610) + * PKCS#11 + - Implement C_CreateObject for EC keys and fix signature verification + for CKM_ECDSA_SHAx cards (#2420) + * pkcs11-tool + - Add more elliptic curves (#2301) + - Add support for symmetric encrypt and decrypt, wrap and unwrap operations, + and initialization vector (#2268) + - Fix consistent handling of secret key attributes (#2497) + - Add support for signing and verifying with HMAC (#2385) + - Add support for SHA3 (#2467) + - Make object selectable via label (#2570) + - Do not require an R/W session for some operations and + add --session-rw option (#2579) + - Print more information: CKA_UNIQUE_ID attribute, SHA3 HMACs and + serial number for certificates (#2644, #2643, #2641) + - Add new option --undestroyable to create keys with CKA_DESTROYABLE=FALSE (#2645) + * sc-hsm-tool + - Add options for public key authentication (#2301) + * Minidriver + - Fix reinit of the card (#2525) + - Add an entry for Italian CNS (e) (#2548) + - Fix detection of ECC mechanisms (#2523) + - Fix ATRs before adding them to the windows registry (#2628) + * NQ-Applet + - Add support for the JCOP4 Cards with NQ-Applet (#2425) + * ItaCNS + - Add support for ItaCMS v1.1 (key length 2048) (#2371) + * Belpic + - Add support for applet v1.8 (#2455) + * Starcos + - Add ATR for V3.4 (#2464) + - Add PKCS#15 emulator for 3.x cards with eSign app (#2544) + * ePass2003 + - Fix PKCS#15 initialization (#2403) + - Add support for FIPS (#2543) + - Fix matching with newer versions and tokens initialized with OpenSC (#2575) + * MyEID + - Support logout operation (#2557) + - Support for symmetric encryption and decryption (#2473, #2607) + * GIDS + - Fix decipher for TPM (#1881) + * OpenPGP + - Get the list of supported algorithms from algorithm information + on the card (#2287) + - Support for 3 certificates with OpenPGP 3+ (#2103) + * nPA + - Fix card detection (#2463) + * Rutoken + - Fix formatting rtecp cards (#2599) + * PIV + - Add new PIVKey ATRs for current cards (#2602) + +------------------------------------------------------------------- +Mon Oct 4 12:59:24 UTC 2021 - Daniel Donisa + +- Update to OpenSC 0.22.0: + * Removed changes in opensc-gcc11.patch already present in upstream. + - See https://github.com/OpenSC/OpenSC/pull/2241/commits/e549e9c62eb4fcd2260800e2665071e4dd9bbbda + * Removed some false positives from the openrc-rpmlintrc file. + * Use standard paths for file cache on Linux (#2148) and OSX (#2214) + * Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic) + * Add threading test to `pkcs11-tool` (#2067) + * Add support to generate generic secret keys (#2140) + * `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195) + * Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179). + * Support for gcc11 and its new strict aliasing rules (#2241, #2260) + * Initial support for building with OpenSSL 3.0 (#2343) + * pkcs15-tool: Write data objects in binary mode (#2324) + * Avoid limited size of log messages (#2352) + * Support for ECDSA verification (#2211) + * Support for ECDSA with different SHA hashes (#2190) + * Prevent issues in p11-kit by not returning unexpected return codes (#2207) + * Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293) + * Standardize the version 2 on 2.20 in the code (#2096) + * Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176) + * Copy arguments of C_Initialize (#2350) + * Fix RSA-PSS signing (#2234) + * Fix DO deletion (#2215) + * Add support for (X)EdDSA keys (#1960) + * Add support for applet version 3 and fix RSA-PSS mechanisms (#2205) + * Add support for applet version 4 (#2332) + * New configuration option for opensc.conf to disable pkcs1_padding (#2193) + * Add support for ECDSA with different hashes (#2190) + * Enable more mechanisms (#2178) + * Fixed asking for a user pin when formatting a card (#1737) + * Added support for French CPx Healthcare cards (#2217) + * Added ATR for new CardOS 5.4 version (#2296) + * Fixes security issues: + * tcos: use after return (bsc#1192005, CVE-2021-42780) + * oberthur: use after free (bsc#1191992, CVE-2021-42779) + * oberthur: multiple heap buffer overflows (bsc#1192000, + CVE-2021-42781) + * multiple stack buffer overflow issues (bsc#1191957, + CVE-2021-42782) + +------------------------------------------------------------------- +Sun Jun 27 16:48:49 UTC 2021 - Predrag Ivanović + +- Fix build on GCC11 + * Add opensc-gcc11.patch from Fedora + (https://github.com/OpenSC/OpenSC/pull/2241/) + +------------------------------------------------------------------- +Fri Mar 12 22:58:46 UTC 2021 - Dirk Müller + +- move licenses to licensedir + +------------------------------------------------------------------- +Fri Nov 27 19:27:30 UTC 2020 - Andreas Stieger + +- OpenSC 0.21.0: + * CVE-2020-26571: stack-based buffer overflow in the gemsafe GPK + smart card software driver (boo#1177380) + * CVE-2020-26572: stack-based buffer overflow in the TCOS smart + card software driver (boo#1177378) + * CVE-2020-26570: heap-based buffer overflow in the Oberthur + smart card software driver (boo#1177364) + * CardOS 5.x support boo#1179291 + * Support for OAEP encryption, make SHA256 default + * New separate debug level for PIN commands + * Fix handling of card/reader insertion/removal events in pcscd + * Fixes of removed readers handling + * Fix Firefox crash because of invalid pcsc context + * PKCS#11: Return CKR_TOKEN_NOT_RECOGNIZED for not recognized cards + * Propagate ignore_user_content to PKCS#11 layer not to confuse applications + * Minidriver: Fix check of ATR length (2-to 33 characters inclusive) + * pkcs11-tool: allow using SW tokens + * opensc-explorer asn1 accepts offsets and decode records + * opensc-explorer cat accepts records + * OpenPGP: Add new ec curves supported by GNUK + * First steps supporting OpenPGP 3.4 + * OpenPGP: Add support for EC key import + * Rutoken: Add ATR for Rutoken ECP SC NFC + * Improve detection of various CardOS 5 configurations + * DNIe: Add new DNIe CA structure for the secure channel + * ePass2003: Improve ECC support + * ePass2003: Fix erase sequence + * IAS-ECC: Fix support for Idemia Cosmo cards + * IAS-ECC: PIN padding settings are now used from PKCS#15 info when available + * IAS-ECC: Added PIN-pad support for PIN unblock + * New driver for Gemalto IDPrime (only some types) + * eDo: New driver with initial support for Polish eID card (e-dowód, eDO) + * MCRD: Remove unused and broken RSA EstEID support + * TCOS: Add missing encryption certificates + * PIV: Add ATR of DOD Yubikey + * fixed PIV global pin bug + * CAC1: Support changing PIN with CAC Alt tokens +- includes changes from 0.20.0 + * CVE-2019-6502: memory leak in libopensc (boo#1122756) + * CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string (boo#1149747) + * CVE-2019-15945: out-of-bounds access of an ASN.1 Bitstring (boo#1149746) + * CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (boo#1158256) + * CVE-2019-19480: improper free operation in sc_pkcs15_decode_prkdf_entry (boo#1158307) + * CVE-2019-20792: double free in coolkey_free_private_dat (bsc#1170809) + * Support RSA-PSS signature mechanisms using RSA-RAW + * Added memory locking for secrets + * added support for terminal colors + * PC/SC driver: Fixed error handling in case of changing or removing the card reader + * rename md_read_only to read_only and use it for PKCS#11 and Minidriver + * allow global use of ignore_private_certificate + * PKCS#11: Implement write protection (CKF_WRITE_PROTECTED) based on the card profile + * PKCS#11: Add C_WrapKey and C_UnwrapKey implementations + * PKCS#11: Handle CKA_ALWAYS_AUTHENTICATE when creating key objects + * PKCS#11: Truncate long PKCS#11 labels with ... + * PKCS#11: Fixed recognition of a token when being unplugged and reinserted + * Minidriver: Register for CardOS5 cards + * Minidriver: Add support for RSA-PSS + * tools: Harmonize the use of option -r/--reader + * goid-tool: GoID personalization with fingerprint + * openpgp-tool: replace the options -L/--key-length with -t/--key-type + * openpgp-tool: add options -C/--card-info and -K/--key-info + * opensc-explorer: add command pin_info, extend random + * pkcs11-register: Auto-configuration of applications for use of OpenSC PKCS#11 + * pkcd11-register: Autostart + * opensc-tool: Show ATR also for cards not recognized by OpenSC + * pkcs11-spy: parse CKM_AES_GCM, EC Derive parameters + * pkcs11-spy: Add support for CKA_OTP_* and CKM_*_PSS values + * pkcs11-tool: Support for signature verification via --verify + * pkcs11-tool: Add object type secrkey for --type option + * pkcs11-tool: Implement Secret Key write object + * pkcs11-tool: Add GOSTR3410-2012 support + * pkcs11-tool: Add support for testing CKM_RSA_PKCS_OAEP + * pkcs11-tool: Add extractable option to key import + * pkcs11-tool: list more key access flags when listing keys + * pkcs11-tool: Add support for CKA_ALLOWED_MECHANISMS when creating new objects and listing keys + * pkcs15-crypt: *Handle keys with user consent + * New separate CAC1 driver using the old CAC specification (#1502) + * CardOS: Add support for 4K RSA keys in CardOS 5 + * CardOS: Fixed decryption with CardOS 5 + * Enable CoolKey driver to handle 2048-bit keys + * EstEID: add support for a minimalistic, small and fast card profile based on IAS-ECC issued since December 2018 + * GIDS Decipher fix (#1881) + * GIDS: Allow RSA 4K support + * MICARDO: Remove long expired EstEID 1.0/1.1 card support + * MyEID: Add support for unwrapping a secret key with an RSA key or secret key + * MyEID Add support for wrapping a secret key with a secret key + * Support for MyEID 4K RSA + * Support for OsEID + * Gemalto GemSafe: add new PTeID ATRs, add support for 4K RSA keys + * OpenPGP Card v3 ECC support + * Add Rutoken ECP SC + * Add Rutoken Lite + * Add SmartCard-HSM 4K ATR + * Add missing secp384r1 curve parameter + * Stacros: Fix decipher with 2.3 + * Stacros: Add ATR for 2nd gen. eGK + * Stacros: Add new ATR for 3.5 + * Stacros: Detect and allow Globalplatform PIN encoding + * Fix TCOS IDKey support + * TCOS: add encryption certificate for IDKey + * Infocamere, Postecert, Cnipa: Remove profiles + * Remove incomplete acos5 driver +- drop patches now upstream: + * opensc-0.19.0-piv_card_matching.patch + * opensc-0.19.0-redundant_logging.patch + * opensc-0.19.0-rsa-pss.patch + +------------------------------------------------------------------- +Sun Aug 18 01:35:45 UTC 2019 - Jason Sikes + +- added opensc-0.19.0-piv_card_matching.patch + * Improve Card Matching for Dual CAC/PIV and PIVKEY cards. + * sourced from https://github.com/OpenSC/OpenSC/pull/1549 + +------------------------------------------------------------------- +Tue Jul 30 03:15:14 UTC 2019 - Jason Sikes + +- added opensc-0.19.0-rsa-pss.patch + * Fixes the pkcs11-tool example + * Added missing CKM_SHA224_RSA_PKCS_PSS + * Add support for PSS padding to RSA signatures + * Support for signature verification in pkcs11-tool + * Switch cleanup steps to avoid segfaults on errors and more sanity checking +- added opensc-0.19.0-redundant_logging.patch + * Remove redundant debug output + +------------------------------------------------------------------- +Tue Jul 23 21:51:42 UTC 2019 - Benjamin Greiner + +- add explicit BuildRequires: zlib-devel + +------------------------------------------------------------------- +Thu Sep 13 13:46:43 UTC 2018 - Karol Babioch + +- Update to version 0.19.0 + * Fixed multiple security problems (out of bound writes/reads): + * bsc#1104812 + * CVE-2018-16391 (bsc#1106998) + * CVE-2018-16392 (bsc#1106999) + * CVE-2018-16393 (bsc#1108318) + * CVE-2018-16418 (bsc#1107039) + * CVE-2018-16419 (bsc#1107107) + * CVE-2018-16420 (bsc#1107097) + * CVE-2018-16421 (bsc#1107049) + * CVE-2018-16422 (bsc#1107038) + * CVE-2018-16423 (bsc#1107037) + * CVE-2018-16424 (bsc#1107036) + * CVE-2018-16425 (bsc#1107035) + * CVE-2018-16426 (bsc#1107034) + * CVE-2018-16427 (bsc#1107033) + * Workaround cards returning short signatures without leading zeroes + * Distribute minimal opensc.conf + * `pkcs11_enable_InitToken made` global configuration option + * Modify behavior of `OPENSC_DRIVER` environment variable to restrict driver + list instead of forcing one driver and skipping vital parts of + configuration + * Removed configuration options `zero_ckaid_for_ca_certs`, + `force_card_driver`, `reopen_debug_file`, `paranoid-memory` + * Generalized configuration option `ignored_readers` + * If card initialization fails, continue card detection with other card + drivers + * reader-pcsc: allow fixing the length of a PIN + * fixed crash during `C_WaitForSlotEvent` + * Allow cancelling the PIN pad prompt before starting the reader transaction. + Whether to start the transaction immediately or not is user-configurable + for each application + * opensc-notify + * add Exit button to tray icon + * User better description (GenericName) and a generic application icon + * Do not display in the application list +- Removed patches included upstream now: + * opensc-desktop.patch + * opensc-desktop2.patch + * opensc-bash-completions.patch +- Applied spec-cleaner + +------------------------------------------------------------------- +Tue Jul 10 16:56:28 CEST 2018 - sbrabec@suse.com + +- Update to version 0.18.0: + * Further improvements of PIN support. + * Large number of improvements and fixes + (boo#1097951, boo#1100501). + * See /usr/share/doc/packages/opensc/NEWS for complete list. +- Add opensc-desktop.patch, opensc-desktop2.patch and + opensc-bash-completions.patch. + +------------------------------------------------------------------- +Mon Jan 1 16:16:13 UTC 2018 - michael@stroeder.com + +- update to version 0.17.0: + * support for new cards + * PIN support enhancemets + * added .pc file + * builds with OpenSSL 1.1.0 (1074799) + * See /usr/share/doc/packages/opensc/NEWS for complete list. + +------------------------------------------------------------------- +Tue Jul 18 13:58:05 UTC 2017 - tchvatal@suse.com + +- Switch to tarball fetching from github +- Few small cleanups + +------------------------------------------------------------------- +Tue Nov 22 16:42:06 CET 2016 - sbrabec@suse.com + +- Add baselibs.conf to provide 32-bit PKCS11 plugins (bsc#996047). +- Drop opensc-ADVISORIES. There is no new advisory since 2009. + +------------------------------------------------------------------- +Tue Jul 5 12:09:24 UTC 2016 - t.gruner@katodev.de + +- update to version 0.16.0 +- remove fix (issue 505) +- clean up spec-file + +------------------------------------------------------------------- +Thu Jul 30 16:16:19 EEST 2015 - bwachter-pkg@lart.info + +- update to version 0.15.0 +- register with p11-kit + (https://www.opensc-project.org/opensc/ticket/390) + +------------------------------------------------------------------- +Mon Feb 16 15:14:55 UTC 2015 - michael@stroeder.com + +- update to version 0.14.0 + +------------------------------------------------------------------- +Tue Dec 3 18:53:23 UTC 2013 - luizluca@tre-sc.gov.br + +- update to version 0.13.0 + +------------------------------------------------------------------- +Tue Jun 12 21:00:03 UTC 2012 - mgorse@suse.com + +- make needed directories before running make install + +------------------------------------------------------------------- +Thu Sep 29 18:26:23 UTC 2011 - lmedinas@opensuse.org +- Updated to version 0.12.2: + * Builds are now silent by default when OpenSC is built from + source on Unix. + * Using --wait with command line tools works with 64bit Linux + again. + * Greatly improved OpenPGP card support, including OpenPGP + 2.0 cards like the one found in German Privacy Foundation + CryptoStick. + * Fixed support for FINeID cards issued after 01.03.2011 with + 2048bit keys. + * #256: Fixed support for TCOS cards (broken since 0.12.0). + * Added support for IDKey-cards to TCOS3 driver. + * #361: Improved PC/SC driver to fetch the maximum PIN sizes + from the open source CCID driver. This fixes the issue for + Linux/OSX with recent driver. + * Fix FINeID cards for organizations. + * Several smaller bugs and compiler warnings fixed + +- Updated to version 0.12.1: + * IAS-ECC 1.0.1 + * Support for cards with multiple PKCS#15 applications + * New card driver: IAS/ECC 1.0.1 + * rutoken-tool has been deprecated and removed. + * eidenv and piv-tool utilities now have manual pages. + * pkcs11-tool now requires the use of --module parameter. + * All tools can now use an ATR as an argument to --reader, + to skip to the card with given ATR. + * opensc-tool -l with -v now shows information about the + inserted cards. + * Creating files have an enforced upper size limit, 64K + * Support for multiple PKCS#15 applications with different + AID-s. PKCS#15 applications can be listed with pkcs15-tool + --list-applications. Binding to a specific AID with PKCS#15 + tools can be done with --aid. + * Hex strings (like card ATR or APDU-s) can now be separated + by space, in addition to colons. + * Pinpad readers known to be bogus are now ignored by OpenSC. + At the moment only "HP USB Smart Card Keyboard" is disabled. + * Numerous compiler warnings, unused code and internal bugs + have been eliminated. + +------------------------------------------------------------------- +Fri Jan 7 14:49:37 CET 2011 - sbrabec@suse.cz + +- Updated to version 0.12.0: + * Security fix (bnc#660109, CVE-2010-4523). + * Only one backend is supported. openSUSE will use pcsc-lite. + * libopensc made private, library should not be used by other + applications. Please use generic PKCS#11 interface instead. + * Signer plugin discontinued. Please use openssl engine_pkcs11. + * No more depends on libassuan. + * New card drivers. + * Support for CardOS enhanced. + * More changes and enhancements. +- libopensc merged back to the main package, as it is private now. + +------------------------------------------------------------------- +Mon Aug 23 14:15:22 CEST 2010 - sbrabec@suse.cz + +- Fixed broken opensc-fix-gcc-warnings.patch (bnc#627619). +- Simplified plugin installation. + +------------------------------------------------------------------- +Tue Apr 13 14:35:32 UTC 2010 - puzel@novell.com + +- update to version 0.11.13 + * Modify Rutoken S binary interfaces by Aktiv Co. + * Muscle driver fixed (acl reading issue) + * Many small fixes (e.g. mem leaks) + * Compiling with openssl 1.0.0-beta fixed + * Document integer problem in OpenSC and implement workaround + * Improve entersafe profile to support private data objects +- Require pinentry +- add opensc-libassuan-2.patch +- add opensc-fix-gcc-warnings.patch + +------------------------------------------------------------------- +Fri Jan 1 20:07:35 CET 2010 - jengelh@medozas.de + +- package baselibs.conf + +------------------------------------------------------------------- +Wed Aug 5 14:59:33 CEST 2009 - sbrabec@suse.cz + +- Updated to version 0.11.9: + * New rutoken_ecp driver + * Allow more keys/certificates/files etc. with entersafe tokens + * Updates pkcs11.h from scute fixing warnings + * Small fixes in rutoken driver + * Major update for piv driver with increased compatibility + +------------------------------------------------------------------- +Thu Jul 30 12:45:26 CEST 2009 - sbrabec@suse.cz + +- libopensc2 should not require opensc (bnc#466430). + +------------------------------------------------------------------- +Thu May 7 17:52:06 CEST 2009 - sbrabec@suse.cz + +- Updated to version 0.11.8: + * Fix security problem in pkcs11-tool gen_keypair + (PublicExponent 1) (bnc#501726) + See http://en.opensuse.org/Smart_Cards/Advisories for more. + * updated and improve entersafe driver. FTCOS/PK-01C cards are + supported now, compatible with cards writen by Feitian's + software on windows. + +------------------------------------------------------------------- +Thu Apr 9 11:32:23 CEST 2009 - sbrabec@suse.cz + +- Fixed undefined code (bnc#440853). +- Don't call autoreconf on older products. + +------------------------------------------------------------------- +Tue Mar 17 18:01:29 CET 2009 - sbrabec@suse.cz + +- Updated to version 0.11.7: + * hide_empty_slots now on by default? small logic change? + * ruToken driver was updated. + * openct virtual readers reduced to 2 by default. + * Security issue: Fix private data support. (bnc#480262, + CVE-2009-0368) + See http://en.opensuse.org/Smart_Cards/Advisories for more. + * Enable lock_login by default. + * Disable allow_soft_keygen by default. + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Wed Sep 10 13:46:44 CEST 2008 - sbrabec@suse.cz + +- Updated to version 0.11.6: + * New support for Feitian ePass3000. + * GemSafeV1 improved to handle key_ref other than 3. + * Build system rewritten. + * ruToken now supported. + * Allow specifying application name for data objects. + * Basic reader hotplug support. + * PC/SC library is dynamically linked. + * PKCS#11 provider is now installed at LIBDIR/pkcs11. + * PKCS#11 - Number of virtual slots moved into configuration. + * PKCS#11 - Fix fork() compliance. + * make sign_with_decrypt hack configureable for siemens cards. + +------------------------------------------------------------------- +Mon Sep 1 14:06:17 CEST 2008 - sbrabec@suse.cz + +- Check validity of SSL certificates for all Siemens CardOS M4 + cards (SCA and SCB are affected as well, bnc#413496#c6). + +------------------------------------------------------------------- +Thu Jul 31 12:45:11 CEST 2008 - sbrabec@suse.cz + +- Fixed initialization access rights for Siemens CardOS M4, added + a security check to pkcs15-tool (bnc#413496, CVE-2008-2235) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Feb 7 17:12:02 CET 2008 - sbrabec@suse.cz + +- Updated to version 0.11.4: + * Browser plugin support + * Support Siemens CardOS initialized cards (signing with + decryption) + * Add Siemens CardOS M4.2B support (experimental) + * Support for AKIS cards added (partial) + +------------------------------------------------------------------- +Thu Jul 26 13:40:30 CEST 2007 - sbrabec@suse.cz + +- Updated to version 0.11.3: + * make lots of internal functions and variables static. + * fix 0 vs NULL in many places. fix ansi c style (void). + * avoid variable names used also as glibc function (random etc.). + * new code for deleting objects. + * special hack for firefox. + * suport for Athena APCOS cards added. + * piv driver now supports bigger rsa keys too. + * enabled pin caching by default. + * use max_send_size 255 / max_recv_size 256 bytes by default. + * increase pin buffer size to allow longer pin codes. + * Added --read-ssk-key option to pkcs15-tool + * use pkg-config for finding openct + * use strlcpy function + * use new pkcs11.h from scute with an open source license + * add support for sha2 to pkcs15-crypt + * add piv-tool for managing piv cards + * add muscle driver + * improved oberthur driver + * add support for pcsc v2 part10 + * convert source files to utf-8 +- Split package according to shared library packaging policy. + +------------------------------------------------------------------- +Tue Feb 27 12:12:30 CET 2007 - mvaner@suse.cz + +- Fixing dodgy use of sizeof (#238660) + - sizeof.patch + +------------------------------------------------------------------- +Mon Oct 2 18:49:35 CEST 2006 - sbrabec@suse.cz + +- Updated to version 0.11.1: + * Update for piv pkcs#15 emulation + * Improved TCOS driver for Uni Giesen Card + * Handle size_t printf with "%lu" and (unsigned long) cast + * Add support for d-trust cards / improve micardo 2.1 driver + +------------------------------------------------------------------- +Thu May 25 16:13:02 CEST 2006 - sbrabec@suse.cz + +- Fixed build for old SuSE Linux versions. + +------------------------------------------------------------------- +Thu May 11 13:00:00 CEST 2006 - sbrabec@suse.cz + +- Fixed devel dependencies. + +------------------------------------------------------------------- +Wed May 10 16:58:12 CEST 2006 - sbrabec@suse.cz + +- Updated to version 0.11.0. + +------------------------------------------------------------------- +Wed Jan 25 21:39:06 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Jan 5 02:05:11 CET 2006 - ro@suse.de + +- added unpackaged so-links to devel filelist + +------------------------------------------------------------------- +Tue Oct 25 15:30:04 CEST 2005 - rhafer@suse.de + +- added LDAP_DEPRECATED to CFLAGS to build correctly with· + OpenLDAP 2.3 + +------------------------------------------------------------------- +Fri Sep 2 12:56:14 CEST 2005 - okir@suse.de + +- Removed +x permissions on opensc.conf (#114849) + +------------------------------------------------------------------- +Thu Jul 14 16:11:56 CEST 2005 - okir@suse.de + +- Updated to latest upstream version +- Added missing documentation files (#75425) + +------------------------------------------------------------------- +Fri Mar 4 11:06:48 CET 2005 - meissner@suse.de + +- fixed gcc4 compilation. + +------------------------------------------------------------------- +Fri Jan 21 14:43:23 CET 2005 - okir@suse.de + +- Updated to latest upstream version (0.9.4) + +------------------------------------------------------------------- +Thu Nov 18 15:49:34 CET 2004 - ro@suse.de + +- use kerberos-devel-packages + +------------------------------------------------------------------- +Mon Jul 19 14:06:10 CEST 2004 - adrian@suse.de + +- fix file list + +------------------------------------------------------------------- +Mon Jul 12 17:26:31 CEST 2004 - adrian@suse.de + +- update to version 0.8.1 + +------------------------------------------------------------------- +Fri Mar 19 11:10:13 CET 2004 - okir@suse.de + +- Fixed permissions and path names of some include files (#36432) + +------------------------------------------------------------------- +Fri Jan 16 13:19:16 CET 2004 - kukuk@suse.de + +- Add pam-devel to neededforbuild + +------------------------------------------------------------------- +Sat Jan 10 15:47:57 CET 2004 - adrian@suse.de + +- add %run_ldconfig and %defattr + +------------------------------------------------------------------- +Mon Aug 4 11:00:27 CEST 2003 - okir@suse.de + +- Build fixes for x86_64/ppc64 +- use a version string other than "CVS" (#28423) + +------------------------------------------------------------------- +Fri Aug 1 12:04:29 CEST 2003 - okir@suse.de + +- Updated to most recent upstream snapshot + +------------------------------------------------------------------- +Thu Jun 12 13:28:31 CEST 2003 - kukuk@suse.de + +- Fix filelist and permissions + +------------------------------------------------------------------- +Wed Jun 4 00:39:12 CEST 2003 - ro@suse.de + +- added rest of static libs to devel filelist +- remove unpackaged files from buildroot + +------------------------------------------------------------------- +Wed Jan 15 17:34:58 CET 2003 - ro@suse.de + +- use sasl2 + +------------------------------------------------------------------- +Thu Dec 5 11:22:44 CET 2002 - okir@suse.de + +- fixed x86_64 build problem +- updated to latest upstream + +------------------------------------------------------------------- +Fri Nov 29 10:01:14 CET 2002 - okir@suse.de + +- updated to current CVS snapshot + +------------------------------------------------------------------- +Fri Aug 9 21:35:43 CEST 2002 - okir@suse.de + +- added missing libs to files list + +------------------------------------------------------------------- +Thu Jul 4 17:48:11 CEST 2002 - ro@suse.de + +- added heimdal-devel to neededforbuild to make libtool happy + +------------------------------------------------------------------- +Fri Jun 28 17:34:49 CEST 2002 - schwab@suse.de + +- Fix bootstrap script. +- Use correct libtool macros. + +------------------------------------------------------------------- +Mon May 27 19:10:07 CEST 2002 - sf@suse.de + +- @libdir@ added to Makefile.am to use correct dirs for + */lib */lib64 + +------------------------------------------------------------------- +Tue Apr 30 16:05:12 CEST 2002 - okir@suse.de + +- Initial check-in + diff --git a/opensc.module b/opensc.module new file mode 100644 index 0000000..c063a43 --- /dev/null +++ b/opensc.module @@ -0,0 +1,8 @@ +# This file describes how to load the opensc module +# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html + +# This is a relative path, which means it will be loaded from +# the p11-kit default path which is usually $(libdir)/pkcs11. +# Doing it this way allows for packagers to package opensc for +# 32-bit and 64-bit and make them parallel installable +module: onepin-opensc-pkcs11.so diff --git a/opensc.spec b/opensc.spec new file mode 100644 index 0000000..4989cdb --- /dev/null +++ b/opensc.spec @@ -0,0 +1,143 @@ +# +# spec file for package opensc +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define sover 11 +%define completionsdir %(pkg-config --variable completionsdir bash-completion) +Name: opensc +Version: 0.25.1 +Release: 0 +Summary: Smart Card Utilities +License: LGPL-2.1-or-later +Group: Productivity/Security +URL: https://github.com/OpenSC/OpenSC/wiki +Source: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: baselibs.conf +Source2: %{name}-rpmlintrc +# Register with p11-kit +# https://web.archive.org/web/20111225073733/http://www.opensc-project.org/opensc/ticket/390 +Source3: opensc.module +Patch0: opensc-gcc11.patch +Patch1: opensc-docbook-xsl-fix.patch +Patch2: opensc-CVE-2024-8443.patch +# PATCH-FIX-UPSTREAM: bsc#1230071 CVE-2024-45615: opensc: pkcs15init: Usage of uninitialized values in libopensc and pkcs15init +Patch3: opensc-CVE-2024-45615.patch +# PATCH-FIX-UPSTREAM: bsc#1230072 CVE-2024-45616: opensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc +Patch4: opensc-CVE-2024-45616.patch +# PATCH-FIX-UPSTREAM: bsc#1230073 CVE-2024-45617: opensc: Uninitialized values after incorrect or missing checking return values of functions in libopensc +Patch5: opensc-CVE-2024-45617.patch +# PATCH-FIX-UPSTREAM: bsc#1230074 CVE-2024-45618: opensc: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init +Patch6: opensc-CVE-2024-45618.patch +# PATCH-FIX-UPSTREAM: bsc#1230075 CVE-2024-45619: opensc: Incorrect handling length of buffers or files in libopensc +Patch7: opensc-CVE-2024-45619.patch +# PATCH-FIX-UPSTREAM: bsc#1230076 CVE-2024-45620: opensc: Incorrect handling of the length of buffers or files in pkcs15init +Patch8: opensc-CVE-2024-45620.patch +BuildRequires: automake +BuildRequires: docbook-xsl-stylesheets +BuildRequires: libxslt +BuildRequires: pkgconfig +BuildRequires: readline-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig(bash-completion) +BuildRequires: pkgconfig(libeac) >= 0.9 +BuildRequires: pkgconfig(libpcsclite) >= 1.8.22 +BuildRequires: pkgconfig(openssl) >= 1.0.1 +Requires: pcsc-lite +# There is no more devel package. +Obsoletes: opensc-devel < %{version} + +%description +OpenSC provides a set of utilities to access smart cards. It mainly +focuses on cards that support cryptographic operations. It facilitates +their use in security applications such as mail encryption, +authentication, and digital signature. OpenSC implements the PKCS#11 +API. Applications supporting this API, such as Mozilla Firefox and +Thunderbird, can use it. OpenSC implements the PKCS#15 standard and aims +to be compatible with every software that does so, too. + +Before purchasing any cards, please read carefully documentation on the +web pageonly some cards are supported. Not only card type matters, but +also card version, card OS version and preloaded applet. Only subset of +possible operations may be supported for your card. Card initialization +may require third party proprietary software. + +%package bash-completion +Summary: Bash Completion for %{name} +Group: Productivity/Security +Requires: %{name} = %{version} +Requires: bash-completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +Bash completion script for %{name}. + +%prep +%setup -q +%autopatch -p1 + +%build +%configure \ + --docdir=%{_docdir}/%{name} \ + --disable-static \ + --enable-doc \ + --disable-silent-rules +%make_build + +%install +%make_install +# Private library. +rm %{buildroot}%{_libdir}/libopensc.so +install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pkcs11/modules/opensc.module + +%ldconfig_scriptlets + +%files +%license COPYING +%doc NEWS README +%doc %{_docdir}/%{name}/tools.html +%doc %{_docdir}/%{name}/files.html +%doc %{_docdir}/%{name}/opensc.conf +# +%config(noreplace) %{_sysconfdir}/eac/cvc/DESCHSMCVCA00001 +%config(noreplace) %{_sysconfdir}/eac/cvc/DESRCACC100001 +# +%{_bindir}/* +%{_datadir}/applications/*.desktop +%{_datadir}/opensc +# Note: .la and .so must be in the main package, required by ltdl: +%{_libdir}/*.la +%{_libdir}/libsmm-local.so +%{_libdir}/onepin-opensc-pkcs11.so +%{_libdir}/opensc-pkcs11.so +%{_libdir}/pkcs11-spy.so +# This is a private library. There is no reason to split it to libopensc* package. +%{_libdir}/libsmm-local.so.%{sover}* +%{_libdir}/libopensc.so.%{sover}* +# +%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/*.so +%{_libdir}/pkgconfig/opensc-pkcs11.pc +%{_mandir}/man?/*%{ext_man} +%config %{_sysconfdir}/opensc.conf +%dir %{_sysconfdir}/pkcs11 +%config %{_sysconfdir}/pkcs11/modules/ + +%files bash-completion +%{completionsdir}/* + +%changelog