From 0158a5870b2ac0819f83423ae15c72c6e697d824 Mon Sep 17 00:00:00 2001
From: Kalev Lember <kalev@fedoraproject.org>
Date: Tue, 15 Jun 2010 19:08:04 +0000
Subject: [PATCH] Patch for CVE-2010-0407

---
 pcsc-lite-CVE-2010-0407.patch | 109 ++++++++++++++++++++++++++++++++++
 pcsc-lite.spec                |   7 ++-
 2 files changed, 115 insertions(+), 1 deletion(-)
 create mode 100644 pcsc-lite-CVE-2010-0407.patch

diff --git a/pcsc-lite-CVE-2010-0407.patch b/pcsc-lite-CVE-2010-0407.patch
new file mode 100644
index 0000000..3ff7e45
--- /dev/null
+++ b/pcsc-lite-CVE-2010-0407.patch
@@ -0,0 +1,109 @@
+diff -ru pcsc-lite-1.4.102.orig//src/winscard_svc.c pcsc-lite-1.4.102/src/winscard_svc.c
+--- pcsc-lite-1.4.102.orig//src/winscard_svc.c	2008-06-27 05:31:39.000000000 +0200
++++ pcsc-lite-1.4.102/src/winscard_svc.c	2010-05-26 15:04:04.000000000 +0200
+@@ -385,6 +385,14 @@
+ 		dwProtocol = stStr->pdwProtocol;
+ 		cbAtrLen = stStr->pcbAtrLen;
+ 
++		/* avoids buffer overflow */
++		if ((cchReaderLen > sizeof(stStr->mszReaderNames))
++			|| (cbAtrLen > sizeof(stStr->pbAtr)))
++		{
++			stStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
++			break;
++		}
++
+ 		stStr->rv = SCardStatus(stStr->hCard, stStr->mszReaderNames,
+ 			&cchReaderLen, &dwState,
+ 			&dwProtocol, stStr->pbAtr, &cbAtrLen);
+@@ -400,6 +408,14 @@
+ 		rv = MSGCheckHandleAssociation(trStr->hCard, dwContextIndex);
+ 		if (rv != 0) return rv;
+ 
++		/* avoids buffer overflow */
++		if ((trStr->pcbRecvLength > sizeof(trStr->pbRecvBuffer))
++			|| (trStr->cbSendLength > sizeof(trStr->pbSendBuffer)))
++		{
++			trStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
++			break;
++		}
++
+ 		ioSendPci.dwProtocol = trStr->pioSendPciProtocol;
+ 		ioSendPci.cbPciLength = trStr->pioSendPciLength;
+ 		ioRecvPci.dwProtocol = trStr->pioRecvPciProtocol;
+@@ -424,6 +440,14 @@
+ 		rv = MSGCheckHandleAssociation(ctStr->hCard, dwContextIndex);
+ 		if (rv != 0) return rv;
+ 
++		/* avoids buffer overflow */
++		if ((ctStr->cbRecvLength > sizeof(ctStr->cbRecvLength))
++			|| (ctStr->cbSendLength > sizeof(ctStr->pbSendBuffer)))
++		{
++			ctStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
++			break;
++		}
++
+ 		dwBytesReturned = ctStr->dwBytesReturned;
+ 
+ 		ctStr->rv = SCardControl(ctStr->hCard, ctStr->dwControlCode,
+@@ -440,6 +464,13 @@
+ 		rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex);
+ 		if (rv != 0) return rv;
+ 
++		/* avoids buffer overflow */
++		if (gsStr->cbAttrLen > sizeof(gsStr->pbAttr))
++		{
++			gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
++			break;
++		}
++
+ 		cbAttrLen = gsStr->cbAttrLen;
+ 
+ 		gsStr->rv = SCardGetAttrib(gsStr->hCard, gsStr->dwAttrId,
+@@ -453,6 +484,14 @@
+ 		gsStr = ((getset_struct *) msgStruct->data);
+ 		rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex);
+ 		if (rv != 0) return rv;
++
++		/* avoids buffer overflow */
++		if (gsStr->cbAttrLen <= sizeof(gsStr->pbAttr))
++		{
++			gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
++			break;
++		}
++
+ 		gsStr->rv = SCardSetAttrib(gsStr->hCard, gsStr->dwAttrId,
+ 			gsStr->pbAttr, gsStr->cbAttrLen);
+ 		break;
+@@ -467,6 +506,15 @@
+ 			rv = MSGCheckHandleAssociation(treStr->hCard, dwContextIndex);
+ 			if (rv != 0) return rv;
+ 
++			/* avoids buffer overflow */
++			if ((treStr->size > sizeof(pbSendBuffer))
++				|| (treStr->cbSendLength > sizeof(pbSendBuffer))
++				|| (treStr->pcbRecvLength > sizeof(pbRecvBuffer)))
++			{
++				treStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
++				break;
++			}
++
+ 			/* on more block to read? */
+ 			if (treStr->size > PCSCLITE_MAX_MESSAGE_SIZE)
+ 			{
+@@ -548,6 +596,15 @@
+ 			rv = MSGCheckHandleAssociation(cteStr->hCard, dwContextIndex);
+ 			if (rv != 0) return rv;
+ 
++			/* avoids buffer overflow */
++			if ((cteStr->size > sizeof(pbSendBuffer))
++				|| (cteStr->cbSendLength > sizeof(pbSendBuffer))
++				|| (cteStr->cbRecvLength > sizeof(pbRecvBuffer)))
++			{
++				cteStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
++				break;
++			}
++
+ 			/* on more block to read? */
+ 			if (cteStr->size > PCSCLITE_MAX_MESSAGE_SIZE)
+ 			{
diff --git a/pcsc-lite.spec b/pcsc-lite.spec
index d48eb20..ce297e3 100644
--- a/pcsc-lite.spec
+++ b/pcsc-lite.spec
@@ -1,6 +1,6 @@
 Name:           pcsc-lite
 Version:        1.5.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        PC/SC Lite smart card framework and applications
 %define upstream_build 2795
 
@@ -12,6 +12,7 @@ Patch0:         %{name}-1.4-docinst.patch
 Patch1:         %{name}-1.4.100-rpath64.patch
 Patch2:         %{name}-close_on_exec.patch
 Patch3:         %{name}-1.5-permissions.patch
+Patch4:         %{name}-CVE-2010-0407.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -66,6 +67,7 @@ Group:          Documentation
 %patch1 -p1 -b .rpath64
 %patch2 -p1 -b .close_on_exec
 %patch3 -p0 -b .permissions
+%patch4 -p1 -b .CVE-2010-0407
 
 %build
 %configure \
@@ -152,6 +154,9 @@ fi
 
 
 %changelog
+* Tue Jun 15 2010 Kalev Lember <kalev@smartlink.ee> - 1.5.2-3
+- Patch for CVE-2010-0407
+
 * Wed Jun 17 2009 Bob Relyea <rrelyea@redhat.com> - 1.5.2-2
 - Pick up security fixes from upstream