opensc/opensc-CVE-2023-40661-3of12.patch

From 5631e9843c832a99769def85b7b9b68b4e3e3959 Mon Sep 17 00:00:00 2001
From: Veronika Hanulikova <xhanulik@fi.muni.cz>
Date: Fri, 3 Mar 2023 16:07:38 +0100
Subject: [PATCH] Check length of string before making copy

Thanks OSS-Fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
---
 src/pkcs15init/profile.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
index 2b793b0282..3bad1e8536 100644
--- a/src/pkcs15init/profile.c
+++ b/src/pkcs15init/profile.c
@@ -1575,7 +1575,10 @@ do_acl(struct state *cur, int argc, char **argv)
 	while (argc--) {
 		unsigned int	op, method, id;
 
+		if (strlen(*argv) >= sizeof(oper))
+			goto bad;
 		strlcpy(oper, *argv++, sizeof(oper));
+
 		if ((what = strchr(oper, '=')) == NULL)
 			goto bad;
 		*what++ = '\0';
@@ -2288,6 +2291,9 @@ get_authid(struct state *cur, const char *value,
 		return get_uint(cur, value, type);
 	}
 
+	if (strlen(value) >= sizeof(temp))
+		return 1;
+
 	n = strcspn(value, "0123456789x");
 	strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp));
Accepting request 1116477 from home:ohollmann:branches:security:chipcard - Security Fix: [CVE-2023-40661, bsc#1215761] * opensc: multiple memory issues with pkcs15-init (enrollment tool) * Add patches: - opensc-CVE-2023-40661-1of12.patch - opensc-CVE-2023-40661-2of12.patch - opensc-CVE-2023-40661-3of12.patch - opensc-CVE-2023-40661-4of12.patch - opensc-CVE-2023-40661-5of12.patch - opensc-CVE-2023-40661-6of12.patch - opensc-CVE-2023-40661-7of12.patch - opensc-CVE-2023-40661-8of12.patch - opensc-CVE-2023-40661-9of12.patch - opensc-CVE-2023-40661-10of12.patch - opensc-CVE-2023-40661-11of12.patch - opensc-CVE-2023-40661-12of12.patch - Security Fix: [CVE-2023-4535, bsc#1215763] * Add patches: - opensc-CVE-2023-4535.patch - opensc-NULL_pointer_fix.patch - Security Fix: [CVE-2023-40660, bsc#1215762] * opensc: PIN bypass when card tracks its own login state * Add patches: - opensc-CVE-2023-40660-1of2.patch - opensc-CVE-2023-40660-2of2.patch OBS-URL: https://build.opensuse.org/request/show/1116477 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=75 2023-10-10 12:49:01 +00:00			`From 5631e9843c832a99769def85b7b9b68b4e3e3959 Mon Sep 17 00:00:00 2001`
			`From: Veronika Hanulikova <xhanulik@fi.muni.cz>`
			`Date: Fri, 3 Mar 2023 16:07:38 +0100`
			`Subject: [PATCH] Check length of string before making copy`

			`Thanks OSS-Fuzz`
			`https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851`
			`https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998`
			`---`
			`src/pkcs15init/profile.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c`
			`index 2b793b0282..3bad1e8536 100644`
			`--- a/src/pkcs15init/profile.c`
			`+++ b/src/pkcs15init/profile.c`
			`@@ -1575,7 +1575,10 @@ do_acl(struct state cur, int argc, char *argv)`
			`while (argc--) {`
			`unsigned int op, method, id;`

			`+ if (strlen(*argv) >= sizeof(oper))`
			`+ goto bad;`
			`strlcpy(oper, *argv++, sizeof(oper));`
			`+`
			`if ((what = strchr(oper, '=')) == NULL)`
			`goto bad;`
			`*what++ = '\0';`
			`@@ -2288,6 +2291,9 @@ get_authid(struct state cur, const char value,`
			`return get_uint(cur, value, type);`
			`}`

			`+ if (strlen(value) >= sizeof(temp))`
			`+ return 1;`
			`+`
			`n = strcspn(value, "0123456789x");`
			`strlcpy(temp, value, (sizeof(temp) > n) ? n + 1 : sizeof(temp));`