[Buildroot] [PATCH 1/1] package/opensc: security bump to version 0.24.0
Fabrice Fontaine
fontaine.fabrice at gmail.com
Tue Dec 26 16:11:29 UTC 2023
- Drop patches (already in version) and so drop autoreconf
- Fix the following security issues:
- CVE-2023-40660: Fix Potential PIN bypass
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling
encryption using symmetric keys
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
...ed-compatibility-with-LibreSSL-3.5.0.patch | 54 ---------------
...ed-compatibility-with-LibreSSL-3.7.0.patch | 28 --------
...onfigure-add-option-to-disable-tests.patch | 67 -------------------
...alculation-to-fix-buffer-overrun-bug.patch | 51 --------------
...L-does-provide-EVP_sha3_-after-3-7-3.patch | 32 ---------
...ixed-detection-of-SHA3-compatibility.patch | 27 --------
package/opensc/opensc.hash | 2 +-
package/opensc/opensc.mk | 7 +-
8 files changed, 2 insertions(+), 266 deletions(-)
delete mode 100644 package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
delete mode 100644 package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
delete mode 100644 package/opensc/0003-configure-add-option-to-disable-tests.patch
delete mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
delete mode 100644 package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
delete mode 100644 package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch
diff --git a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch b/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
deleted file mode 100644
index 0daf75d5ba..0000000000
--- a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From da01e5fab9be9865db1aac203e574e0edbfd6584 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner at gmail.com>
-Date: Wed, 14 Dec 2022 09:31:29 +0100
-Subject: [PATCH] fixed compatibility with LibreSSL >= 3.5.0
-
-fixes https://github.com/OpenSC/OpenSC/issues/2664
-
-Upstream: https://github.com/OpenSC/OpenSC/commit/da01e5fab9be9865db1aac203e574e0edbfd6584
-
-Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
----
- src/libopensc/card-iasecc.c | 12 +-----------
- src/libopensc/sc-ossl-compat.h | 1 +
- 2 files changed, 2 insertions(+), 11 deletions(-)
-
-diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
-index 480c1cf87b..1347ed2393 100644
---- a/src/libopensc/card-iasecc.c
-+++ b/src/libopensc/card-iasecc.c
-@@ -38,21 +38,11 @@
- #include <openssl/pkcs12.h>
- #include <openssl/x509v3.h>
-
--/*
-- * OpenSSL-3.0.0 does not allow access to the SHA data
-- * so this driver can not produces signatures
-- * OpenSSL 1.1.1 uses EVP_MD_CTX_md_data
-- * LibreSSL
-- */
--
--#if defined(LIBRESSL_VERSION_NUMBER)
--# define EVP_MD_CTX_md_data(x) (x->md_data)
--#endif
--
- #include "internal.h"
- #include "asn1.h"
- #include "cardctl.h"
- #include "opensc.h"
-+#include "sc-ossl-compat.h"
- /* #include "sm.h" */
- #include "pkcs15.h"
- /* #include "hash-strings.h" */
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index da53ca8cee..8c0f96701c 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -42,6 +42,7 @@ extern "C" {
- #define X509_get_extension_flags(x) (x->ex_flags)
- #define X509_get_key_usage(x) (x->ex_kusage)
- #define X509_get_extended_key_usage(x) (x->ex_xkusage)
-+#define EVP_MD_CTX_md_data(x) (x->md_data)
- #endif
-
- #if defined(LIBRESSL_VERSION_NUMBER)
diff --git a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch b/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
deleted file mode 100644
index 6bbbea6ce6..0000000000
--- a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner at gmail.com>
-Date: Fri, 16 Dec 2022 11:56:28 +0100
-Subject: [PATCH] fixed compatibility with LibreSSL 3.7.0
-
-Upstream: https://github.com/OpenSC/OpenSC/commit/98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6
-
-Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
----
- src/libopensc/sc-ossl-compat.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index 8c0f96701c..4425da93f3 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -54,9 +54,11 @@ extern "C" {
- #define EVP_sha3_256() (NULL)
- #define EVP_sha3_384() (NULL)
- #define EVP_sha3_512() (NULL)
-+#if LIBRESSL_VERSION_NUMBER < 0x3070000fL
- #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL)
- #define EVP_PKEY_get_raw_public_key(p, pu, l) (0)
- #endif
-+#endif
-
- /* OpenSSL 1.1.1 has FIPS_mode function */
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L
diff --git a/package/opensc/0003-configure-add-option-to-disable-tests.patch b/package/opensc/0003-configure-add-option-to-disable-tests.patch
deleted file mode 100644
index 29342026c1..0000000000
--- a/package/opensc/0003-configure-add-option-to-disable-tests.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 3c3ed2ecbf31d41b6e5406da55971b9d9eaa3388 Mon Sep 17 00:00:00 2001
-From: Bernd Kuhls <bernd at kuhls.net>
-Date: Mon, 24 Jul 2023 22:28:11 +0200
-Subject: [PATCH] configure: add option to disable tests
-
-Upstream: https://github.com/OpenSC/OpenSC/pull/2822
-
-Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
----
- configure.ac | 9 +++++++++
- src/Makefile.am | 6 +++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 0a90445b..9b7543da 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -272,6 +272,13 @@ AC_ARG_ENABLE(
- [enable_doc="no"]
- )
-
-+AC_ARG_ENABLE(
-+ [tests],
-+ [AS_HELP_STRING([--enable-tests],[enable tests @<:@enabled@:>@])],
-+ ,
-+ [enable_tests="yes"]
-+)
-+
- AC_ARG_ENABLE(
- [dnie-ui],
- [AS_HELP_STRING([--enable-dnie-ui],[enable use of external user interface program to request DNIe pin@<:@disabled@:>@])],
-@@ -1119,6 +1126,7 @@ AM_CONDITIONAL([ENABLE_NOTIFY], [test "${enable_notify}" = "yes"])
- AM_CONDITIONAL([ENABLE_CRYPTOTOKENKIT], [test "${enable_cryptotokenkit}" = "yes"])
- AM_CONDITIONAL([ENABLE_OPENCT], [test "${enable_openct}" = "yes"])
- AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"])
-+AM_CONDITIONAL([ENABLE_TESTS], [test "${enable_tests}" = "yes"])
- AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
- AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"])
- AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"])
-@@ -1213,6 +1221,7 @@ XSL stylesheets: ${xslstylesheetsdir}
-
- man support: ${enable_man}
- doc support: ${enable_doc}
-+tests: ${enable_tests}
- thread locking support: ${enable_thread_locking}
- zlib support: ${enable_zlib}
- readline support: ${enable_readline}
-diff --git a/src/Makefile.am b/src/Makefile.am
-index 3ce465bf..bf71b61f 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -3,7 +3,11 @@ EXTRA_DIST = Makefile.mak
-
- # Order IS important
- SUBDIRS = common scconf ui pkcs15init sm \
-- libopensc pkcs11 tools minidriver tests
-+ libopensc pkcs11 tools minidriver
-+
-+if ENABLE_TESTS
-+SUBDIRS += tests
-+endif
-
- if ENABLE_SM
- SUBDIRS += smm
---
-2.39.2
-
diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
deleted file mode 100644
index 079f960b59..0000000000
--- a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
-From: fullwaywang <fullwaywang at tencent.com>
-Date: Mon, 29 May 2023 10:38:48 +0800
-Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
- overrun bug. Fixes #2785
-
-Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
----
- src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
-index 9715cf390f..f41f73c349 100644
---- a/src/pkcs15init/pkcs15-cardos.c
-+++ b/src/pkcs15init/pkcs15-cardos.c
-@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- sc_apdu_t apdu;
- u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
- int r;
-- const u8 *p = rbuf, *q;
-+ const u8 *p = rbuf, *q, *pp;
- size_t len, tlen = 0, ilen = 0;
-
- sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
-@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- return 0;
-
- while (len != 0) {
-- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-- if (p == NULL)
-+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-+ if (pp == NULL)
- return 0;
- if (card->type == SC_CARD_TYPE_CARDOS_M4_3) {
- /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */
- /* and Package Number 0x07 */
-- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
-+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
- if (q == NULL || ilen != 4)
- return 0;
- if (q[0] == 0x07)
-@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
- } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) {
- /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */
- /* and Package Number 0x02 */
-- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
-+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
- if (q == NULL || ilen != 4)
- return 0;
- if (q[0] == 0x02)
diff --git a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch b/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
deleted file mode 100644
index 80c19a3f5f..0000000000
--- a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From e015242590ad9131e124232cc5a2fd02d525ef2c Mon Sep 17 00:00:00 2001
-From: Klemens Nanni <kn at openbsd.org>
-Date: Thu, 29 Jun 2023 02:41:43 +0300
-Subject: [PATCH] LibreSSL does provide EVP_sha3_*() after 3.7.3
-
-Support was added in 16.04.2023.
-
-Compile- and run-tested on OpenBSD/amd64 7.3-current.
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
-Upstream: https://github.com/OpenSC/OpenSC/commit/e015242590ad9131e124232cc5a2fd02d525ef2c
----
- src/libopensc/sc-ossl-compat.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index df0cebbce2..8012cd4c0f 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -50,10 +50,12 @@ extern "C" {
- #if LIBRESSL_VERSION_NUMBER < 0x30500000L
- #define FIPS_mode() (0)
- #endif
-+#ifndef EVP_sha3_224
- #define EVP_sha3_224() (NULL)
- #define EVP_sha3_256() (NULL)
- #define EVP_sha3_384() (NULL)
- #define EVP_sha3_512() (NULL)
-+#endif
- #if LIBRESSL_VERSION_NUMBER < 0x3070000fL
- #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL)
- #define EVP_PKEY_get_raw_public_key(p, pu, l) (0)
diff --git a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch b/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch
deleted file mode 100644
index 3d8aa7e4ef..0000000000
--- a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 33351d91aa22fa8077847ba3f19abb5a00b04600 Mon Sep 17 00:00:00 2001
-From: Frank Morgner <frankmorgner at gmail.com>
-Date: Tue, 15 Aug 2023 17:58:21 +0200
-Subject: [PATCH] fixed detection of SHA3 compatibility
-
-fixes https://github.com/OpenSC/OpenSC/issues/2836
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
-Upstream: https://github.com/OpenSC/OpenSC/commit/33351d91aa22fa8077847ba3f19abb5a00b04600
----
- src/libopensc/sc-ossl-compat.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h
-index 8012cd4c0f..96ec4bd736 100644
---- a/src/libopensc/sc-ossl-compat.h
-+++ b/src/libopensc/sc-ossl-compat.h
-@@ -50,7 +50,8 @@ extern "C" {
- #if LIBRESSL_VERSION_NUMBER < 0x30500000L
- #define FIPS_mode() (0)
- #endif
--#ifndef EVP_sha3_224
-+/* OpenSSL 1.1.1 has EVP_sha3_* */
-+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30800000L
- #define EVP_sha3_224() (NULL)
- #define EVP_sha3_256() (NULL)
- #define EVP_sha3_384() (NULL)
diff --git a/package/opensc/opensc.hash b/package/opensc/opensc.hash
index e8e675667e..232222062c 100644
--- a/package/opensc/opensc.hash
+++ b/package/opensc/opensc.hash
@@ -1,5 +1,5 @@
# Computed locally from https://https://github.com/OpenSC/OpenSC/releases/
-sha256 a4844a6ea03a522ecf35e49659716dacb6be03f7c010a1a583aaf3eb915ed2e0 opensc-0.23.0.tar.gz
+sha256 24d03c69287291da32a30c4c38a304ad827f56cb85d83619e1f5403ab6480ef8 opensc-0.24.0.tar.gz
# Computed locally
sha256 376b54d4c5f4aa99421823fa4da93e3ab73096fce2400e89858632aa7da24a14 COPYING
diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
index 823bc50102..49bdcae37a 100644
--- a/package/opensc/opensc.mk
+++ b/package/opensc/opensc.mk
@@ -4,18 +4,13 @@
#
################################################################################
-OPENSC_VERSION = 0.23.0
+OPENSC_VERSION = 0.24.0
OPENSC_SITE = https://github.com/OpenSC/OpenSC/releases/download/$(OPENSC_VERSION)
OPENSC_LICENSE = LGPL-2.1+
OPENSC_LICENSE_FILES = COPYING
OPENSC_CPE_ID_VENDOR = opensc_project
-# 0003-configure-add-option-to-disable-tests.patch
-OPENSC_AUTORECONF = YES
OPENSC_DEPENDENCIES = openssl pcsc-lite
OPENSC_INSTALL_STAGING = YES
OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
-# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
-OPENSC_IGNORE_CVES += CVE-2023-2977
-
$(eval $(autotools-package))
--
2.43.0
More information about the buildroot
mailing list