rpms/pcsc-lite
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Patch for CVE-2010-0407

Browse Source
This commit is contained in:
Kalev Lember 2010-06-15 19:08:04 +00:00
parent 9a2819c132
commit f35b70ce90
2 changed files with 115 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
pcsc-lite-CVE-2010-0407.patch Normal file
View File

@ -0,0 +1,109 @@
diff -ru pcsc-lite-1.4.102.orig//src/winscard_svc.c pcsc-lite-1.4.102/src/winscard_svc.c
--- pcsc-lite-1.4.102.orig//src/winscard_svc.c 2008-06-27 05:31:39.000000000 +0200
+++ pcsc-lite-1.4.102/src/winscard_svc.c 2010-05-26 15:04:04.000000000 +0200
@@ -385,6 +385,14 @@
dwProtocol = stStr->pdwProtocol;
cbAtrLen = stStr->pcbAtrLen;
+ /* avoids buffer overflow */
+ if ((cchReaderLen > sizeof(stStr->mszReaderNames))
+ || (cbAtrLen > sizeof(stStr->pbAtr)))
+ {
+ stStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+ break;
+ }
+
stStr->rv = SCardStatus(stStr->hCard, stStr->mszReaderNames,
&cchReaderLen, &dwState,
&dwProtocol, stStr->pbAtr, &cbAtrLen);
@@ -400,6 +408,14 @@
rv = MSGCheckHandleAssociation(trStr->hCard, dwContextIndex);
if (rv != 0) return rv;
+ /* avoids buffer overflow */
+ if ((trStr->pcbRecvLength > sizeof(trStr->pbRecvBuffer))
+ || (trStr->cbSendLength > sizeof(trStr->pbSendBuffer)))
+ {
+ trStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+ break;
+ }
+
ioSendPci.dwProtocol = trStr->pioSendPciProtocol;
ioSendPci.cbPciLength = trStr->pioSendPciLength;
ioRecvPci.dwProtocol = trStr->pioRecvPciProtocol;
@@ -424,6 +440,14 @@
rv = MSGCheckHandleAssociation(ctStr->hCard, dwContextIndex);
if (rv != 0) return rv;
+ /* avoids buffer overflow */
+ if ((ctStr->cbRecvLength > sizeof(ctStr->cbRecvLength))
+ || (ctStr->cbSendLength > sizeof(ctStr->pbSendBuffer)))
+ {
+ ctStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
+ break;
+ }
+
dwBytesReturned = ctStr->dwBytesReturned;
ctStr->rv = SCardControl(ctStr->hCard, ctStr->dwControlCode,
@@ -440,6 +464,13 @@
rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex);
if (rv != 0) return rv;
+ /* avoids buffer overflow */
+ if (gsStr->cbAttrLen > sizeof(gsStr->pbAttr))
+ {
+ gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+ break;
+ }
+
cbAttrLen = gsStr->cbAttrLen;
gsStr->rv = SCardGetAttrib(gsStr->hCard, gsStr->dwAttrId,
@@ -453,6 +484,14 @@
gsStr = ((getset_struct *) msgStruct->data);
rv = MSGCheckHandleAssociation(gsStr->hCard, dwContextIndex);
if (rv != 0) return rv;
+
+ /* avoids buffer overflow */
+ if (gsStr->cbAttrLen <= sizeof(gsStr->pbAttr))
+ {
+ gsStr->rv = SCARD_E_INSUFFICIENT_BUFFER ;
+ break;
+ }
+
gsStr->rv = SCardSetAttrib(gsStr->hCard, gsStr->dwAttrId,
gsStr->pbAttr, gsStr->cbAttrLen);
break;
@@ -467,6 +506,15 @@
rv = MSGCheckHandleAssociation(treStr->hCard, dwContextIndex);
if (rv != 0) return rv;
+ /* avoids buffer overflow */
+ if ((treStr->size > sizeof(pbSendBuffer))
+ || (treStr->cbSendLength > sizeof(pbSendBuffer))
+ || (treStr->pcbRecvLength > sizeof(pbRecvBuffer)))
+ {
+ treStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
+ break;
+ }
+
/* on more block to read? */
if (treStr->size > PCSCLITE_MAX_MESSAGE_SIZE)
{
@@ -548,6 +596,15 @@
rv = MSGCheckHandleAssociation(cteStr->hCard, dwContextIndex);
if (rv != 0) return rv;
+ /* avoids buffer overflow */
+ if ((cteStr->size > sizeof(pbSendBuffer))
+ || (cteStr->cbSendLength > sizeof(pbSendBuffer))
+ || (cteStr->cbRecvLength > sizeof(pbRecvBuffer)))
+ {
+ cteStr->rv = SCARD_E_INSUFFICIENT_BUFFER;
+ break;
+ }
+
/* on more block to read? */
if (cteStr->size > PCSCLITE_MAX_MESSAGE_SIZE)
{

7
pcsc-lite.spec
View File

@ -1,6 +1,6 @@
Name: pcsc-lite Name: pcsc-lite
Version: 1.5.2 Version: 1.5.2
Release: 2%{?dist} Release: 3%{?dist}
Summary: PC/SC Lite smart card framework and applications Summary: PC/SC Lite smart card framework and applications
%define upstream_build 2795 %define upstream_build 2795
@ -12,6 +12,7 @@ Patch0: %{name}-1.4-docinst.patch
Patch1: %{name}-1.4.100-rpath64.patch Patch1: %{name}-1.4.100-rpath64.patch
Patch2: %{name}-close_on_exec.patch Patch2: %{name}-close_on_exec.patch
Patch3: %{name}-1.5-permissions.patch Patch3: %{name}-1.5-permissions.patch
Patch4: %{name}-CVE-2010-0407.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -66,6 +67,7 @@ Group: Documentation
%patch1 -p1 -b .rpath64 %patch1 -p1 -b .rpath64
%patch2 -p1 -b .close_on_exec %patch2 -p1 -b .close_on_exec
%patch3 -p0 -b .permissions %patch3 -p0 -b .permissions
%patch4 -p1 -b .CVE-2010-0407
%build %build
%configure \ %configure \
@ -152,6 +154,9 @@ fi
%changelog %changelog
* Tue Jun 15 2010 Kalev Lember <kalev@smartlink.ee> - 1.5.2-3
- Patch for CVE-2010-0407
* Wed Jun 17 2009 Bob Relyea <rrelyea@redhat.com> - 1.5.2-2 * Wed Jun 17 2009 Bob Relyea <rrelyea@redhat.com> - 1.5.2-2
- Pick up security fixes from upstream - Pick up security fixes from upstream