opensc: fix CVE-2024-45615

CVE-2024-45615: A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45615] Upstream patches: [5e4f26b510] [7d68a7f442] [bb3dedb71e] [42d718dfcc] [bde991b0fe] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-04-02 02:49:12 +00:00 · 2025-01-15 15:24:23 +08:00 · 2025-01-15 15:24:23 +08:00 · ecdd64cf48
commit ecdd64cf48
parent 394846f988
6 changed files with 213 additions and 0 deletions
--- a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0001.patch
@ -0,0 +1,67 @@
+From 5e4f26b510b04624386c54816bf26aacea0fe4a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Thu, 11 Jul 2024 14:58:25 +0200
+Subject: [PATCH] cac: Fix uninitialized values
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_card/1,fuzz_pkcs11/6
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/5e4f26b510b04624386c54816bf26aacea0fe4a1]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cac.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 1d1b616c8..4c3bc89bd 100644
+--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
+@@ -255,7 +255,7 @@ static int cac_apdu_io(sc_card_t *card, int ins, int p1, int p2,
+ 	size_t * recvbuflen)
+ {
+ 	int r;
+-	sc_apdu_t apdu;
+	sc_apdu_t apdu = {0};
+ 	u8 rbufinitbuf[CAC_MAX_SIZE];
+ 	u8 *rbuf;
+ 	size_t rbuflen;
+@@ -392,13 +392,13 @@ fail:
+ static int cac_read_file(sc_card_t *card, int file_type, u8 **out_buf, size_t *out_len)
+ {
+ 	u8 params[2];
+-	u8 count[2];
+	u8 count[2] = {0};
+ 	u8 *out = NULL;
+-	u8 *out_ptr;
+	u8 *out_ptr = NULL;
+ 	size_t offset = 0;
+ 	size_t size = 0;
+ 	size_t left = 0;
+-	size_t len;
+	size_t len = 0;
+ 	int r;
+ 
+ 	params[0] = file_type;
+@@ -461,7 +461,7 @@ static int cac_read_binary(sc_card_t *card, unsigned int idx,
+ 	const u8 *tl_ptr, *val_ptr, *tl_start;
+ 	u8 *tlv_ptr;
+ 	const u8 *cert_ptr;
+-	size_t tl_len, val_len, tlv_len;
+	size_t tl_len = 0, val_len = 0, tlv_len;
+ 	size_t len, tl_head_len, cert_len;
+ 	u8 cert_type, tag;
+ 
+@@ -1528,7 +1528,7 @@ static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, const u8 *tl
+ static int cac_process_CCC(sc_card_t *card, cac_private_data_t *priv, int depth)
+ {
+ 	u8 *tl = NULL, *val = NULL;
+-	size_t tl_len, val_len;
+	size_t tl_len = 0, val_len = 0;
+ 	int r;
+ 
+ 	if (depth > CAC_MAX_CCC_DEPTH) {
+--
+2.34.1
--- a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0002.patch
@ -0,0 +1,36 @@
+From 7d68a7f442e38e16625270a0fdc6942c9e9437e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 15:51:51 +0200
+Subject: [PATCH] card-piv: Initialize variables for tag and CLA
+
+In case they are not later initialize later by
+sc_asn1_read_tag() function.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/21
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/7d68a7f442e38e16625270a0fdc6942c9e9437e6]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-piv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-piv.c b/src/libopensc/card-piv.c
+index 6bf740221..0f07b2529 100644
+--- a/src/libopensc/card-piv.c
+++ b/src/libopensc/card-piv.c
+@@ -2241,7 +2241,7 @@ static int piv_get_challenge(sc_card_t *card, u8 *rnd, size_t len)
+ 	const u8 *p;
+ 	size_t out_len = 0;
+ 	int r;
+-	unsigned int tag, cla;
+	unsigned int tag = 0, cla = 0;
+ 	piv_private_data_t * priv = PIV_DATA(card);
+ 
+ 	LOG_FUNC_CALLED(card->ctx);
+--
+2.34.1
--- a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0003.patch
@ -0,0 +1,35 @@
+From bb3dedb71e59bd17f96fd4e807250a5cf2253cb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Fri, 12 Jul 2024 14:35:47 +0200
+Subject: [PATCH] pkcs15-cert.c: Initialize OID length
+
+In case it is not set later.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/7
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/bb3dedb71e59bd17f96fd4e807250a5cf2253cb7]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-cert.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-cert.c b/src/libopensc/pkcs15-cert.c
+index 1777a85835..5e2dbb89d0 100644
+--- a/src/libopensc/pkcs15-cert.c
+++ b/src/libopensc/pkcs15-cert.c
+@@ -169,7 +169,7 @@ sc_pkcs15_get_name_from_dn(struct sc_context *ctx, const u8 *dn, size_t dn_len,
+ 	for (next_ava = rdn, next_ava_len = rdn_len; next_ava_len; ) {
+ 		const u8 *ava, *dummy, *oidp;
+ 		struct sc_object_id oid;
+-		size_t ava_len, dummy_len, oid_len;
+		size_t ava_len = 0, dummy_len, oid_len = 0;
+ 
+ 		/* unwrap the set and point to the next ava */
+ 		ava = sc_asn1_skip_tag(ctx, &next_ava, &next_ava_len, SC_ASN1_TAG_SET | SC_ASN1_CONS, &ava_len);
+--
+2.34.1
--- a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0004.patch
@ -0,0 +1,36 @@
+From 42d718dfccd2a10f6d26705b8c991815c855fa3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 16:32:45 +0200
+Subject: [PATCH] pkcs15-sc-hsm: Initialize variables for tag and CLA
+
+In case they are not later initialize later by
+sc_asn1_read_tag() function.
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_crypt/12
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/42d718dfccd2a10f6d26705b8c991815c855fa3b]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/pkcs15-sc-hsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-sc-hsm.c b/src/libopensc/pkcs15-sc-hsm.c
+index 315cd74482..acdbee7054 100644
+--- a/src/libopensc/pkcs15-sc-hsm.c
+++ b/src/libopensc/pkcs15-sc-hsm.c
+@@ -277,7 +277,7 @@ int sc_pkcs15emu_sc_hsm_decode_cvc(sc_pkcs15_card_t * p15card,
+ 	struct sc_asn1_entry asn1_cvcert[C_ASN1_CVCERT_SIZE];
+ 	struct sc_asn1_entry asn1_cvc_body[C_ASN1_CVC_BODY_SIZE];
+ 	struct sc_asn1_entry asn1_cvc_pubkey[C_ASN1_CVC_PUBKEY_SIZE];
+-	unsigned int cla,tag;
+	unsigned int cla = 0, tag = 0;
+ 	size_t taglen;
+ 	size_t lenchr = sizeof(cvc->chr);
+ 	size_t lencar = sizeof(cvc->car);
+--
+2.34.1
--- a/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch
+++ b/meta-oe/recipes-support/opensc/files/CVE-2024-45615-0005.patch
@ -0,0 +1,34 @@
+From bde991b0fe4f0250243b0e4960978b1043c13b03 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 20 May 2024 21:31:38 +0200
+Subject: [PATCH] pkcs15init: Avoid using uninitialized memory
+
+Thanks Matteo Marini for report
+
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+CVE: CVE-2024-45615
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/bde991b0fe4f0250243b0e4960978b1043c13b03]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/pkcs15init/profile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
+index 74fbdcec1..16c2ddfea 100644
+--- a/src/pkcs15init/profile.c
+++ b/src/pkcs15init/profile.c
+@@ -1807,7 +1807,7 @@ do_pin_storedlength(struct state *cur, int argc, char **argv)
+ static int
+ do_pin_flags(struct state *cur, int argc, char **argv)
+ {
+-	unsigned int	flags;
+	unsigned int	flags = 0;
+ 	int		i, r;
+ 
+ 	if (cur->pin->pin.auth_type != SC_PKCS15_PIN_AUTH_TYPE_PIN)
+--
+2.34.1
--- a/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.22.0.bb
@ -26,6 +26,11 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
           file://CVE-2024-1454.patch \
           file://CVE-2024-8443-0001.patch \
           file://CVE-2024-8443-0002.patch \
+           file://CVE-2024-45615-0001.patch \
+           file://CVE-2024-45615-0002.patch \
+           file://CVE-2024-45615-0003.patch \
+           file://CVE-2024-45615-0004.patch \
+           file://CVE-2024-45615-0005.patch \
          "

 # CVE-2021-34193 is a duplicate CVE covering the 5 individual