This patch has come from two upstream commits to fix the CVE and the debdiff for an nmu is attached. If it's ok with you, I'll go ahead with if the maintainer hasn't already done so in a day or so.
jmm has confirmed there will be no DSA for it. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
diff -u opensc-0.11.4/debian/changelog opensc-0.11.4/debian/changelog --- opensc-0.11.4/debian/changelog +++ opensc-0.11.4/debian/changelog @@ -1,3 +1,11 @@ +opensc (0.11.4-5+lenny1.1) stable; urgency=high + + * Non-maintainer upload. + * CVE-2010-4523: Protect against buffer overflow from rogue cards + (closes: #607427) + + -- Jonathan Wiltshire <j...@debian.org> Wed, 22 Dec 2010 15:32:16 +0000 + opensc (0.11.4-5+lenny1) stable-security; urgency=critical * src/pkcs15init/asepcos.profile, src/pkcs15init/cardos.profile, only in patch2: unchanged: --- opensc-0.11.4.orig/src/libopensc/card-starcos.c +++ opensc-0.11.4/src/libopensc/card-starcos.c @@ -1289,8 +1289,8 @@ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) return SC_ERROR_INTERNAL; /* cache serial number */ - memcpy(card->serialnr.value, apdu.resp, apdu.resplen); - card->serialnr.len = apdu.resplen; + memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); + card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); /* copy and return serial number */ memcpy(serial, &card->serialnr, sizeof(*serial)); return SC_SUCCESS; only in patch2: unchanged: --- opensc-0.11.4.orig/src/libopensc/muscle.c +++ opensc-0.11.4/src/libopensc/muscle.c @@ -28,13 +28,6 @@ #define MSC_DSA_PUBLIC 0x04 #define MSC_DSA_PRIVATE 0x05 -#ifndef MAX -#define MAX(x, y) (((x) > (y)) ? (x) : (y)) -#endif -#ifndef MIN -#define MIN(x, y) (((x) < (y)) ? (x) : (y)) -#endif - static msc_id inputId = { { 0xFF, 0xFF, 0xFF, 0xFF } }; static msc_id outputId = { { 0xFF, 0xFF, 0xFF, 0xFE } }; only in patch2: unchanged: --- opensc-0.11.4.orig/src/libopensc/card-acos5.c +++ opensc-0.11.4/src/libopensc/card-acos5.c @@ -140,8 +140,8 @@ /* * Cache serial number. */ - memcpy(card->serialnr.value, apdu.resp, apdu.resplen); - card->serialnr.len = apdu.resplen; + memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); + card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); /* * Copy and return serial number. only in patch2: unchanged: --- opensc-0.11.4.orig/src/libopensc/internal.h +++ opensc-0.11.4/src/libopensc/internal.h @@ -47,6 +47,13 @@ #define sleep(t) Sleep((t) * 1000) #endif +#ifndef MAX +#define MAX(x, y) (((x) > (y)) ? (x) : (y)) +#endif +#ifndef MIN +#define MIN(x, y) (((x) < (y)) ? (x) : (y)) +#endif + struct sc_atr_table { /* The atr fields are required to * be in aa:bb:cc hex format. */ only in patch2: unchanged: --- opensc-0.11.4.orig/src/libopensc/card-atrust-acos.c +++ opensc-0.11.4/src/libopensc/card-atrust-acos.c @@ -833,8 +833,8 @@ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00) return SC_ERROR_INTERNAL; /* cache serial number */ - memcpy(card->serialnr.value, apdu.resp, apdu.resplen); - card->serialnr.len = apdu.resplen; + memcpy(card->serialnr.value, apdu.resp, MIN(apdu.resplen, SC_MAX_SERIALNR)); + card->serialnr.len = MIN(apdu.resplen, SC_MAX_SERIALNR); /* copy and return serial number */ memcpy(serial, &card->serialnr, sizeof(*serial)); return SC_SUCCESS;
signature.asc
Description: Digital signature