Accepting request 1153161 from security:chipcard

OBS-URL: https://build.opensuse.org/request/show/1153161
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/opensc?expand=0&rev=56
This commit is contained in:
Dominique Leuenberger 2024-02-29 20:50:21 +00:00 committed by Git OBS Bridge
commit b03638d6db
3 changed files with 34 additions and 1 deletions

25
CVE-2024-1454.patch Normal file
View File

@ -0,0 +1,25 @@
From 5835f0d4f6c033bd58806d33fa546908d39825c9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 18 Dec 2023 11:09:50 +0100
Subject: [PATCH] authentic: Avoid use after free
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898
---
src/pkcs15init/pkcs15-authentic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pkcs15init/pkcs15-authentic.c b/src/pkcs15init/pkcs15-authentic.c
index a6d8b8ffad..798bc44138 100644
--- a/src/pkcs15init/pkcs15-authentic.c
+++ b/src/pkcs15init/pkcs15-authentic.c
@@ -868,7 +868,7 @@ authentic_emu_update_tokeninfo(struct sc_profile *profile, struct sc_pkcs15_card
rv = sc_select_file(p15card->card, &path, &file);
if (!rv) {
rv = sc_get_challenge(p15card->card, buffer, sizeof(buffer));
- if (!rv) {
+ if (rv < 0) {
sc_file_free(file);
LOG_TEST_RET(ctx, rv, "Get challenge error");
}

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Sun Feb 25 20:35:05 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Add CVE-2024-1454.patch.
Fix for CVE-2024-1454 / bsc#1219868.
-------------------------------------------------------------------
Wed Dec 13 12:27:34 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package opensc
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -31,6 +31,8 @@ Source2: %{name}-rpmlintrc
# https://web.archive.org/web/20111225073733/http://www.opensc-project.org/opensc/ticket/390
Source3: opensc.module
Patch0: opensc-gcc11.patch
# PATCH-FIX-UPSTREAM martin.schreiner@suse.com CVE-2024-1454 bsc#1219868
Patch1: CVE-2024-1454.patch
BuildRequires: docbook-xsl-stylesheets
BuildRequires: libxslt
BuildRequires: pkgconfig