From 0158a5870b2ac0819f83423ae15c72c6e697d824 Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Tue, 15 Jun 2010 19:08:04 +0000 Subject: [PATCH] Patch for CVE-2010-0407 --- pcsc-lite-CVE-2010-0407.patch | 109 ++++++++++++++++++++++++++++++++++ pcsc-lite.spec | 7 ++- 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 pcsc-lite-CVE-2010-0407.patch diff --git a/pcsc-lite-CVE-2010-0407.patch b/pcsc-lite-CVE-2010-0407.patch new file mode 100644 index 0000000..3ff7e45 --- /dev/null +++ b/pcsc-lite-CVE-2010-0407.patch @@ -0,0 +1,109 @@ +diff -ru pcsc-lite-1.4.102.orig//src/winscard_svc.c pcsc-lite-1.4.102/src/winscard_svc.c +--- pcsc-lite-1.4.102.orig//src/winscard_svc.c 2008-06-27 05:31:39.000000000 +0200 ++++ pcsc-lite-1.4.102/src/winscard_svc.c 2010-05-26 15:04:04.000000000 +0200 +@@ -385,6 +385,14 @@ + dwProtocol = stStr->pdwProtocol; + cbAtrLen = stStr->pcbAtrLen; + ++ /* avoids buffer overflow */ ++ if ((cchReaderLen > sizeof(stStr->mszReaderNames)) ++ || (cbAtrLen > sizeof(stStr->pbAtr))) ++ { ++ stStr->rv = SCARD_E_INSUFFICIENT_BUFFER ; ++ break; ++ } ++ + stStr->rv = SCardStatus(stStr->hCard, stStr->mszReaderNames, + &cchReaderLen, &dwState, + &dwProtocol, stStr->pbAtr, &cbAtrLen); +@@ -400,6 +408,14 @@ + rv = MSGCheckHandleAssociation(trStr->hCard, dwContextIndex); + if (rv != 0) return rv; + ++ /* avoids buffer overflow */ ++ if ((trStr->pcbRecvLength > sizeof(trStr->pbRecvBuffer)) ++ || (trStr->cbSendLength > sizeof(trStr->pbSendBuffer))) ++ { ++ trStr->rv = SCARD_E_INSUFFICIENT_BUFFER ; ++ break; ++ } ++ + ioSendPci.dwProtocol = trStr->pioSendPciProtocol; + ioSendPci.cbPciLength = trStr->pioSendPciLength; + ioRecvPci.dwProtocol = trStr->pioRecvPciProtocol; +@@ -424,6 +440,14 @@ + rv = MSGCheckHandleAssociation(ctStr->hCard, dwContextIndex); + if (rv != 0) return rv; + ++ /* avoids buffer overflow */ ++ if ((ctStr->cbRecvLength > sizeof(ctStr->cbRecvLength)) ++ || (ctStr->cbSendLength > sizeof(ctStr->pbSendBuffer))) ++ { ++ ctStr->rv = SCARD_E_INSUFFICIENT_BUFFER; ++ break; ++ } ++ + dwBytesReturned = ctStr->dwBytesReturned; + + ctStr->rv = SCardControl(ctStr->hCard, ctStr->dwControlCode, +@@ -440,6 +464,13 @@ + rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex); + if (rv != 0) return rv; + ++ /* avoids buffer overflow */ ++ if (gsStr->cbAttrLen > sizeof(gsStr->pbAttr)) ++ { ++ gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ; ++ break; ++ } ++ + cbAttrLen = gsStr->cbAttrLen; + + gsStr->rv = SCardGetAttrib(gsStr->hCard, gsStr->dwAttrId, +@@ -453,6 +484,14 @@ + gsStr = ((getset_struct *) msgStruct->data); + rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex); + if (rv != 0) return rv; ++ ++ /* avoids buffer overflow */ ++ if (gsStr->cbAttrLen <= sizeof(gsStr->pbAttr)) ++ { ++ gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ; ++ break; ++ } ++ + gsStr->rv = SCardSetAttrib(gsStr->hCard, gsStr->dwAttrId, + gsStr->pbAttr, gsStr->cbAttrLen); + break; +@@ -467,6 +506,15 @@ + rv = MSGCheckHandleAssociation(treStr->hCard, dwContextIndex); + if (rv != 0) return rv; + ++ /* avoids buffer overflow */ ++ if ((treStr->size > sizeof(pbSendBuffer)) ++ || (treStr->cbSendLength > sizeof(pbSendBuffer)) ++ || (treStr->pcbRecvLength > sizeof(pbRecvBuffer))) ++ { ++ treStr->rv = SCARD_E_INSUFFICIENT_BUFFER; ++ break; ++ } ++ + /* on more block to read? */ + if (treStr->size > PCSCLITE_MAX_MESSAGE_SIZE) + { +@@ -548,6 +596,15 @@ + rv = MSGCheckHandleAssociation(cteStr->hCard, dwContextIndex); + if (rv != 0) return rv; + ++ /* avoids buffer overflow */ ++ if ((cteStr->size > sizeof(pbSendBuffer)) ++ || (cteStr->cbSendLength > sizeof(pbSendBuffer)) ++ || (cteStr->cbRecvLength > sizeof(pbRecvBuffer))) ++ { ++ cteStr->rv = SCARD_E_INSUFFICIENT_BUFFER; ++ break; ++ } ++ + /* on more block to read? */ + if (cteStr->size > PCSCLITE_MAX_MESSAGE_SIZE) + { diff --git a/pcsc-lite.spec b/pcsc-lite.spec index d48eb20..ce297e3 100644 --- a/pcsc-lite.spec +++ b/pcsc-lite.spec @@ -1,6 +1,6 @@ Name: pcsc-lite Version: 1.5.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PC/SC Lite smart card framework and applications %define upstream_build 2795 @@ -12,6 +12,7 @@ Patch0: %{name}-1.4-docinst.patch Patch1: %{name}-1.4.100-rpath64.patch Patch2: %{name}-close_on_exec.patch Patch3: %{name}-1.5-permissions.patch +Patch4: %{name}-CVE-2010-0407.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -66,6 +67,7 @@ Group: Documentation %patch1 -p1 -b .rpath64 %patch2 -p1 -b .close_on_exec %patch3 -p0 -b .permissions +%patch4 -p1 -b .CVE-2010-0407 %build %configure \ @@ -152,6 +154,9 @@ fi %changelog +* Tue Jun 15 2010 Kalev Lember - 1.5.2-3 +- Patch for CVE-2010-0407 + * Wed Jun 17 2009 Bob Relyea - 1.5.2-2 - Pick up security fixes from upstream