Skip to content
Browse files

* Non-maintainer upload.

* CVE-2010-4523: Protect against buffer overflow from rogue cards
  (closes: #607427)
  • Loading branch information...
1 parent ee9039c commit f3d730f8ce74c8e4e459be8b8b22648317569262 @zedinosaur zedinosaur committed Jan 4, 2011
Showing with 94 additions and 0 deletions.
  1. +8 −0 debian/changelog
  2. +46 −0 debian/patches/CVE-2010-4523
  3. +38 −0 debian/patches/min-max-macros
  4. +2 −0 debian/patches/series
View
8 debian/changelog
@@ -1,3 +1,11 @@
+opensc (0.11.13-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2010-4523: Protect against buffer overflow from rogue cards
+ (closes: #607427)
+
+ -- Jonathan Wiltshire <jmw@debian.org> Wed, 22 Dec 2010 14:20:22 +0000
+
opensc (0.11.13-1) unstable; urgency=low
* New upstream release. (Closes: #570107, #505404)
View
46 debian/patches/CVE-2010-4523
@@ -0,0 +1,46 @@
+Description: protect against possible buffer overflows from rogue cards
+ (CVE-2010-4523)
+Origin: https://www.opensc-project.org/opensc/changeset/4913
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607427
+Forwarded: not-needed
+Last-Update: 2010-12-22
+
+--- opensc-0.11.13.orig/src/libopensc/card-acos5.c
++++ opensc-0.11.13/src/libopensc/card-acos5.c
+@@ -140,8 +140,8 @@
+ /*
+ * Cache serial number.
+ */
+- memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+- card->serialnr.len = apdu.resplen;
++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+
+ /*
+ * Copy and return serial number.
+--- opensc-0.11.13.orig/src/libopensc/card-atrust-acos.c
++++ opensc-0.11.13/src/libopensc/card-atrust-acos.c
+@@ -853,8 +853,8 @@
+ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ return SC_ERROR_INTERNAL;
+ /* cache serial number */
+- memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+- card->serialnr.len = apdu.resplen;
++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ /* copy and return serial number */
+ memcpy(serial, &card->serialnr, sizeof(*serial));
+ return SC_SUCCESS;
+--- opensc-0.11.13.orig/src/libopensc/card-starcos.c
++++ opensc-0.11.13/src/libopensc/card-starcos.c
+@@ -1289,8 +1289,8 @@
+ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ return SC_ERROR_INTERNAL;
+ /* cache serial number */
+- memcpy(card->serialnr.value, apdu.resp, apdu.resplen);
+- card->serialnr.len = apdu.resplen;
++ memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR));
++ card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR);
+ /* copy and return serial number */
+ memcpy(serial, &card->serialnr, sizeof(*serial));
+ return SC_SUCCESS;
View
38 debian/patches/min-max-macros
@@ -0,0 +1,38 @@
+Description: move MIN/MAX macros from muscle.c to internal.h (needed for
+ patch CVE-2010-4523)
+Origin: https://www.opensc-project.org/opensc/changeset/4912
+Forwarded: not-needed
+Last-Update: 2010-12-22
+
+--- opensc-0.11.13.orig/src/libopensc/internal.h
++++ opensc-0.11.13/src/libopensc/internal.h
+@@ -50,6 +50,13 @@
+ #define sleep(t) Sleep((t) * 1000)
+ #endif
+
++#ifndef MAX
++#define MAX(x, y) (((x) > (y)) ? (x) : (y))
++#endif
++#ifndef MIN
++#define MIN(x, y) (((x) < (y)) ? (x) : (y))
++#endif
++
+ struct sc_atr_table {
+ /* The atr fields are required to
+ * be in aa:bb:cc hex format. */
+--- opensc-0.11.13.orig/src/libopensc/muscle.c
++++ opensc-0.11.13/src/libopensc/muscle.c
+@@ -28,13 +28,6 @@
+ #define MSC_DSA_PUBLIC 0x04
+ #define MSC_DSA_PRIVATE 0x05
+
+-#ifndef MAX
+-#define MAX(x, y) (((x) > (y)) ? (x) : (y))
+-#endif
+-#ifndef MIN
+-#define MIN(x, y) (((x) < (y)) ? (x) : (y))
+-#endif
+-
+ static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } };
+ static msc_id outputId = { { 0xFF, 0xFF, 0xFF, 0xFE } };
+
View
2 debian/patches/series
@@ -0,0 +1,2 @@
+min-max-macros
+CVE-2010-4523

0 comments on commit f3d730f

Please sign in to comment.
Something went wrong with that request. Please try again.