NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/opensc: security bump to version 0.24.0

Browse Source 
- Drop patches (already in version) and so drop autoreconf
- Fix the following security issues:
  - CVE-2023-40660: Fix Potential PIN bypass
  - CVE-2023-40661: Important dynamic analyzers reports
  - CVE-2023-4535: Out-of-bounds read in MyEID driver handling
    encryption using symmetric keys

https://github.com/OpenSC/OpenSC/releases/tag/0.24.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2023-12-26 17:11:29 +01:00 committed by Yann E. MORIN
parent 9e5cbbb413
commit 37eb68c9fb
8 changed files with 2 additions and 266 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
View File

@ -1,54 +0,0 @@
From da01e5fab9be9865db1aac203e574e0edbfd6584 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Wed, 14 Dec 2022 09:31:29 +0100
Subject: [PATCH] fixed compatibility with LibreSSL >= 3.5.0
fixes https://github.com/OpenSC/OpenSC/issues/2664
Upstream: https://github.com/OpenSC/OpenSC/commit/da01e5fab9be9865db1aac203e574e0edbfd6584
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
src/libopensc/card-iasecc.c | 12 +-----------
src/libopensc/sc-ossl-compat.h | 1 +
2 files changed, 2 insertions(+), 11 deletions(-)
diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
index 480c1cf87b..1347ed2393 100644
--- a/src/libopensc/card-iasecc.c
+++ b/src/libopensc/card-iasecc.c
@@ -38,21 +38,11 @@
#include <openssl/pkcs12.h>
#include <openssl/x509v3.h>
-/*
- * OpenSSL-3.0.0 does not allow access to the SHA data
- * so this driver can not produces signatures
- * OpenSSL 1.1.1 uses EVP_MD_CTX_md_data
- * LibreSSL
- */
-
-#if defined(LIBRESSL_VERSION_NUMBER)
-# define EVP_MD_CTX_md_data(x) (x->md_data)
-#endif
-
#include "internal.h"
#include "asn1.h"
#include "cardctl.h"
#include "opensc.h"
+#include "sc-ossl-compat.h"
/* #include "sm.h" */
#include "pkcs15.h"
/* #include "hash-strings.h" */
diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
index da53ca8cee..8c0f96701c 100644
--- a/src/libopensc/sc-ossl-compat.h
+++ b/src/libopensc/sc-ossl-compat.h
@@ -42,6 +42,7 @@ extern "C" {
#define X509_get_extension_flags(x) (x->ex_flags)
#define X509_get_key_usage(x) (x->ex_kusage)
#define X509_get_extended_key_usage(x) (x->ex_xkusage)
+#define EVP_MD_CTX_md_data(x) (x->md_data)
#endif
#if defined(LIBRESSL_VERSION_NUMBER)

28
package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
View File

@ -1,28 +0,0 @@
From 98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Fri, 16 Dec 2022 11:56:28 +0100
Subject: [PATCH] fixed compatibility with LibreSSL 3.7.0
Upstream: https://github.com/OpenSC/OpenSC/commit/98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
src/libopensc/sc-ossl-compat.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
index 8c0f96701c..4425da93f3 100644
--- a/src/libopensc/sc-ossl-compat.h
+++ b/src/libopensc/sc-ossl-compat.h
@@ -54,9 +54,11 @@ extern "C" {
#define EVP_sha3_256() (NULL)
#define EVP_sha3_384() (NULL)
#define EVP_sha3_512() (NULL)
+#if LIBRESSL_VERSION_NUMBER < 0x3070000fL
#define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL)
#define EVP_PKEY_get_raw_public_key(p, pu, l) (0)
#endif
+#endif
/* OpenSSL 1.1.1 has FIPS_mode function */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L

67
package/opensc/0003-configure-add-option-to-disable-tests.patch
View File

@ -1,67 +0,0 @@
From 3c3ed2ecbf31d41b6e5406da55971b9d9eaa3388 Mon Sep 17 00:00:00 2001
From: Bernd Kuhls <bernd@kuhls.net>
Date: Mon, 24 Jul 2023 22:28:11 +0200
Subject: [PATCH] configure: add option to disable tests
Upstream: https://github.com/OpenSC/OpenSC/pull/2822
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
configure.ac | 9 +++++++++
src/Makefile.am | 6 +++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 0a90445b..9b7543da 100644
--- a/configure.ac
+++ b/configure.ac
@@ -272,6 +272,13 @@ AC_ARG_ENABLE(
[enable_doc="no"]
)
+AC_ARG_ENABLE(
+ [tests],
+ [AS_HELP_STRING([--enable-tests],[enable tests @<:@enabled@:>@])],
+ ,
+ [enable_tests="yes"]
+)
+
AC_ARG_ENABLE(
[dnie-ui],
[AS_HELP_STRING([--enable-dnie-ui],[enable use of external user interface program to request DNIe pin@<:@disabled@:>@])],
@@ -1119,6 +1126,7 @@ AM_CONDITIONAL([ENABLE_NOTIFY], [test "${enable_notify}" = "yes"])
AM_CONDITIONAL([ENABLE_CRYPTOTOKENKIT], [test "${enable_cryptotokenkit}" = "yes"])
AM_CONDITIONAL([ENABLE_OPENCT], [test "${enable_openct}" = "yes"])
AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"])
+AM_CONDITIONAL([ENABLE_TESTS], [test "${enable_tests}" = "yes"])
AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
@@ -1213,6 +1221,7 @@ XSL stylesheets: ${xslstylesheetsdir}
man support: ${enable_man}
doc support: ${enable_doc}
+tests: ${enable_tests}
thread locking support: ${enable_thread_locking}
zlib support: ${enable_zlib}
readline support: ${enable_readline}
diff --git a/src/Makefile.am b/src/Makefile.am
index 3ce465bf..bf71b61f 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -3,7 +3,11 @@ EXTRA_DIST = Makefile.mak
# Order IS important
SUBDIRS = common scconf ui pkcs15init sm \
- libopensc pkcs11 tools minidriver tests
+ libopensc pkcs11 tools minidriver
+
+if ENABLE_TESTS
+SUBDIRS += tests
+endif
if ENABLE_SM
SUBDIRS += smm
--
2.39.2

51
package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
View File

@ -1,51 +0,0 @@
From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
From: fullwaywang <fullwaywang@tencent.com>
Date: Mon, 29 May 2023 10:38:48 +0800
Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
overrun bug. Fixes #2785
Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
index 9715cf390f..f41f73c349 100644
--- a/src/pkcs15init/pkcs15-cardos.c
+++ b/src/pkcs15init/pkcs15-cardos.c
@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
sc_apdu_t apdu;
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
int r;
- const u8 *p = rbuf, *q;
+ const u8 *p = rbuf, *q, *pp;
size_t len, tlen = 0, ilen = 0;
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
return 0;
while (len != 0) {
- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
- if (p == NULL)
+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+ if (pp == NULL)
return 0;
if (card->type == SC_CARD_TYPE_CARDOS_M4_3) {
/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */
/* and Package Number 0x07 */
- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
if (q == NULL || ilen != 4)
return 0;
if (q[0] == 0x07)
@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) {
/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */
/* and Package Number 0x02 */
- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
if (q == NULL || ilen != 4)
return 0;
if (q[0] == 0x02)

32
package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
View File

@ -1,32 +0,0 @@
From e015242590ad9131e124232cc5a2fd02d525ef2c Mon Sep 17 00:00:00 2001
From: Klemens Nanni <kn@openbsd.org>
Date: Thu, 29 Jun 2023 02:41:43 +0300
Subject: [PATCH] LibreSSL does provide EVP_sha3_*() after 3.7.3
Support was added in 16.04.2023.
Compile- and run-tested on OpenBSD/amd64 7.3-current.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Upstream: https://github.com/OpenSC/OpenSC/commit/e015242590ad9131e124232cc5a2fd02d525ef2c
---
src/libopensc/sc-ossl-compat.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
index df0cebbce2..8012cd4c0f 100644
--- a/src/libopensc/sc-ossl-compat.h
+++ b/src/libopensc/sc-ossl-compat.h
@@ -50,10 +50,12 @@ extern "C" {
#if LIBRESSL_VERSION_NUMBER < 0x30500000L
#define FIPS_mode() (0)
#endif
+#ifndef EVP_sha3_224
#define EVP_sha3_224() (NULL)
#define EVP_sha3_256() (NULL)
#define EVP_sha3_384() (NULL)
#define EVP_sha3_512() (NULL)
+#endif
#if LIBRESSL_VERSION_NUMBER < 0x3070000fL
#define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL)
#define EVP_PKEY_get_raw_public_key(p, pu, l) (0)

27
package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch
View File

@ -1,27 +0,0 @@
From 33351d91aa22fa8077847ba3f19abb5a00b04600 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Tue, 15 Aug 2023 17:58:21 +0200
Subject: [PATCH] fixed detection of SHA3 compatibility
fixes https://github.com/OpenSC/OpenSC/issues/2836
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Upstream: https://github.com/OpenSC/OpenSC/commit/33351d91aa22fa8077847ba3f19abb5a00b04600
---
src/libopensc/sc-ossl-compat.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
index 8012cd4c0f..96ec4bd736 100644
--- a/src/libopensc/sc-ossl-compat.h
+++ b/src/libopensc/sc-ossl-compat.h
@@ -50,7 +50,8 @@ extern "C" {
#if LIBRESSL_VERSION_NUMBER < 0x30500000L
#define FIPS_mode() (0)
#endif
-#ifndef EVP_sha3_224
+/* OpenSSL 1.1.1 has EVP_sha3_* */
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30800000L
#define EVP_sha3_224() (NULL)
#define EVP_sha3_256() (NULL)
#define EVP_sha3_384() (NULL)

2
package/opensc/opensc.hash
View File

@ -1,5 +1,5 @@
# Computed locally from https://https://github.com/OpenSC/OpenSC/releases/ # Computed locally from https://https://github.com/OpenSC/OpenSC/releases/
sha256 a4844a6ea03a522ecf35e49659716dacb6be03f7c010a1a583aaf3eb915ed2e0 opensc-0.23.0.tar.gz sha256 24d03c69287291da32a30c4c38a304ad827f56cb85d83619e1f5403ab6480ef8 opensc-0.24.0.tar.gz
# Computed locally # Computed locally
sha256 376b54d4c5f4aa99421823fa4da93e3ab73096fce2400e89858632aa7da24a14 COPYING sha256 376b54d4c5f4aa99421823fa4da93e3ab73096fce2400e89858632aa7da24a14 COPYING

7
package/opensc/opensc.mk
View File

@ -4,18 +4,13 @@
# #
################################################################################ ################################################################################
OPENSC_VERSION = 0.23.0 OPENSC_VERSION = 0.24.0
OPENSC_SITE = https://github.com/OpenSC/OpenSC/releases/download/$(OPENSC_VERSION) OPENSC_SITE = https://github.com/OpenSC/OpenSC/releases/download/$(OPENSC_VERSION)
OPENSC_LICENSE = LGPL-2.1+ OPENSC_LICENSE = LGPL-2.1+
OPENSC_LICENSE_FILES = COPYING OPENSC_LICENSE_FILES = COPYING
OPENSC_CPE_ID_VENDOR = opensc_project OPENSC_CPE_ID_VENDOR = opensc_project
# 0003-configure-add-option-to-disable-tests.patch
OPENSC_AUTORECONF = YES
OPENSC_DEPENDENCIES = openssl pcsc-lite OPENSC_DEPENDENCIES = openssl pcsc-lite
OPENSC_INSTALL_STAGING = YES OPENSC_INSTALL_STAGING = YES
OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
OPENSC_IGNORE_CVES += CVE-2023-2977
$(eval $(autotools-package)) $(eval $(autotools-package))