sources/meta-openembedded/meta-oe/recipes-support/opensc/files/CVE-2024-8443-0002.patch

From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 15 Aug 2024 11:13:47 +0200
Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint

Fix also surrounding code to return error (not just log it)
when some step fails.

Thanks oss-fuzz

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

CVE: CVE-2024-8443
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
 src/libopensc/card-openpgp.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
index f99ec0db9..3957440de 100644
--- a/src/libopensc/card-openpgp.c
+++ b/src/libopensc/card-openpgp.c
@@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
 	/* update the blob containing fingerprints (00C5) */
 	sc_log(card->ctx, "Updating fingerprint blob 00C5.");
 	fpseq_blob = pgp_find_blob(card, 0x00C5);
-	if (fpseq_blob == NULL)
-		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
+	if (fpseq_blob == NULL) {
+		r = SC_ERROR_OUT_OF_MEMORY;
+		LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");
+	}
+	if (20 * key_info->key_id > fpseq_blob->len) {
+		r = SC_ERROR_OBJECT_NOT_VALID;
+		LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");
+	}
 
 	/* save the fingerprints sequence */
 	newdata = malloc(fpseq_blob->len);
-	if (newdata == NULL)
-		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,
-			"Not enough memory to update fingerprint blob 00C5");
+	if (newdata == NULL) {
+		r = SC_ERROR_OUT_OF_MEMORY;
+		LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");
+	}
 
 	memcpy(newdata, fpseq_blob->data, fpseq_blob->len);
 	/* move p to the portion holding the fingerprint of the current key */
--
2.34.1
Complete Yocto mirror with license table for TQMa6UL (2038-compliance) - 264 license table entries with exact download URLs (224/264 resolved) - Complete sources/ directory with all BitBake recipes - Build configuration: tqma6ul-multi-mba6ulx, spaetzle (musl) - Full traceability for Softwarefreigabeantrag - GCC 13.4.0, Linux 6.6.102, U-Boot 2023.04, musl 1.2.4 - License distribution: GPL-2.0 (24), MIT (23), GPL-2.0+ (18), BSD-3 (16) 2026-03-01 20:58:18 +00:00			`From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001`
			`From: Jakub Jelen <jjelen@redhat.com>`
			`Date: Thu, 15 Aug 2024 11:13:47 +0200`
			`Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint`

			`Fix also surrounding code to return error (not just log it)`
			`when some step fails.`

			`Thanks oss-fuzz`

			`https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933`

			`Signed-off-by: Jakub Jelen <jjelen@redhat.com>`

			`CVE: CVE-2024-8443`
			`Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e]`

			`Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>`
			`---`
			`src/libopensc/card-openpgp.c \| 17 ++++++++++++-----`
			`1 file changed, 12 insertions(+), 5 deletions(-)`

			`diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c`
			`index f99ec0db9..3957440de 100644`
			`--- a/src/libopensc/card-openpgp.c`
			`+++ b/src/libopensc/card-openpgp.c`
			`@@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,`
			`/* update the blob containing fingerprints (00C5) */`
			`sc_log(card->ctx, "Updating fingerprint blob 00C5.");`
			`fpseq_blob = pgp_find_blob(card, 0x00C5);`
			`- if (fpseq_blob == NULL)`
			`- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");`
			`+ if (fpseq_blob == NULL) {`
			`+ r = SC_ERROR_OUT_OF_MEMORY;`
			`+ LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5");`
			`+ }`
			`+ if (20 * key_info->key_id > fpseq_blob->len) {`
			`+ r = SC_ERROR_OBJECT_NOT_VALID;`
			`+ LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough");`
			`+ }`

			`/* save the fingerprints sequence */`
			`newdata = malloc(fpseq_blob->len);`
			`- if (newdata == NULL)`
			`- LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY,`
			`- "Not enough memory to update fingerprint blob 00C5");`
			`+ if (newdata == NULL) {`
			`+ r = SC_ERROR_OUT_OF_MEMORY;`
			`+ LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5");`
			`+ }`

			`memcpy(newdata, fpseq_blob->data, fpseq_blob->len);`
			`/* move p to the portion holding the fingerprint of the current key */`
			`--`
			`2.34.1`