opensc/opensc-CVE-2023-40661-11of12.patch

From 245efe608d083fd4e4ec96793fdefd218e26fde7 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 17 Aug 2023 13:54:42 +0200
Subject: [PATCH] pkcs15: Avoid buffer overflow when getting last update

Thanks oss-fuzz

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
---
 src/libopensc/pkcs15.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/src/libopensc/pkcs15.c
+++ b/src/libopensc/pkcs15.c
@@ -528,7 +528,7 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1
 	struct sc_context *ctx  = p15card->card->ctx;
 	struct sc_file *file = NULL;
 	struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];
-	unsigned char *content, last_update[32];
+	unsigned char *content, last_update[32] = {0};
 	size_t lupdate_len = sizeof(last_update) - 1;
 	int r, content_len;
 	size_t size;
@@ -564,9 +564,11 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1
 	if (r < 0)
 		return NULL;
 
-	p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
-	if (!p15card->tokeninfo->last_update.gtime)
-		return NULL;
+	if (asn1_last_update[0].flags & SC_ASN1_PRESENT) {
+		p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);
+		if (!p15card->tokeninfo->last_update.gtime)
+			return NULL;
+	}
 done:
 	sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime);
 	return p15card->tokeninfo->last_update.gtime;
Accepting request 1116477 from home:ohollmann:branches:security:chipcard - Security Fix: [CVE-2023-40661, bsc#1215761] * opensc: multiple memory issues with pkcs15-init (enrollment tool) * Add patches: - opensc-CVE-2023-40661-1of12.patch - opensc-CVE-2023-40661-2of12.patch - opensc-CVE-2023-40661-3of12.patch - opensc-CVE-2023-40661-4of12.patch - opensc-CVE-2023-40661-5of12.patch - opensc-CVE-2023-40661-6of12.patch - opensc-CVE-2023-40661-7of12.patch - opensc-CVE-2023-40661-8of12.patch - opensc-CVE-2023-40661-9of12.patch - opensc-CVE-2023-40661-10of12.patch - opensc-CVE-2023-40661-11of12.patch - opensc-CVE-2023-40661-12of12.patch - Security Fix: [CVE-2023-4535, bsc#1215763] * Add patches: - opensc-CVE-2023-4535.patch - opensc-NULL_pointer_fix.patch - Security Fix: [CVE-2023-40660, bsc#1215762] * opensc: PIN bypass when card tracks its own login state * Add patches: - opensc-CVE-2023-40660-1of2.patch - opensc-CVE-2023-40660-2of2.patch OBS-URL: https://build.opensuse.org/request/show/1116477 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=75 2023-10-10 14:49:01 +02:00			`From 245efe608d083fd4e4ec96793fdefd218e26fde7 Mon Sep 17 00:00:00 2001`
			`From: Jakub Jelen <jjelen@redhat.com>`
			`Date: Thu, 17 Aug 2023 13:54:42 +0200`
			`Subject: [PATCH] pkcs15: Avoid buffer overflow when getting last update`

			`Thanks oss-fuzz`

			`https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769`
			`---`
			`src/libopensc/pkcs15.c \| 10 ++++++----`
			`1 file changed, 6 insertions(+), 4 deletions(-)`

			`--- a/src/libopensc/pkcs15.c`
			`+++ b/src/libopensc/pkcs15.c`
			`@@ -528,7 +528,7 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1`
			`struct sc_context *ctx = p15card->card->ctx;`
			`struct sc_file *file = NULL;`
			`struct sc_asn1_entry asn1_last_update[C_ASN1_LAST_UPDATE_SIZE];`
			`- unsigned char *content, last_update[32];`
			`+ unsigned char *content, last_update[32] = {0};`
			`size_t lupdate_len = sizeof(last_update) - 1;`
			`int r, content_len;`
			`size_t size;`
			`@@ -564,9 +564,11 @@ sc_pkcs15_get_lastupdate(struct sc_pkcs1`
			`if (r < 0)`
			`return NULL;`

			`- p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);`
			`- if (!p15card->tokeninfo->last_update.gtime)`
			`- return NULL;`
			`+ if (asn1_last_update[0].flags & SC_ASN1_PRESENT) {`
			`+ p15card->tokeninfo->last_update.gtime = strdup((char *)last_update);`
			`+ if (!p15card->tokeninfo->last_update.gtime)`
			`+ return NULL;`
			`+ }`
			`done:`
			`sc_log(ctx, "lastUpdate.gtime '%s'", p15card->tokeninfo->last_update.gtime);`
			`return p15card->tokeninfo->last_update.gtime;`