[{"id":3680243,"web_url":"http://patchwork.ozlabs.org/comment/3680243/","msgid":"","list_archive_url":null,"date":"2026-04-22T07:00:12","subject":"Re: [Buildroot] [PATCH 1/2] package/opensc: security bump version\n to 0.27.1","submitter":{"id":85775,"url":"http://patchwork.ozlabs.org/api/people/85775/","name":"Alexis Lothoré","email":"alexis.lothore@bootlin.com"},"content":"On Tue Apr 21, 2026 at 8:48 PM CEST, Bernd Kuhls wrote:\n> https://github.com/OpenSC/OpenSC/blob/0.27.1/NEWS\n>\n> Switched to sha256 tarball hash provided by upstream.\n>\n> Removed patch which is included in this release.\n>\n> Fixes the following CVEs:\n> * CVE-2025-13763: Several uses of potentially uninitialized memory\n> detected by fuzzers\n> * CVE-2025-49010: Possible write beyond buffer bounds during processing\n> of GET RESPONSE APDU\n> * CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver\n> * CVE-2025-66038: Possible read beyond buffer bounds when parsing\n> historical bytes in PIV driver\n> * CVE-2025-66037: Possible buffer overrun while parsing SPKI\n>\n> Signed-off-by: Bernd Kuhls \n\nI suspect the CC on my address to be a mistake, as my name can be found\nfor the openscAP package.\n\nLGTM though ;)\n\nThanks,\n\nAlexis","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=Nlzcapp+;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0qqX5QNMz1yD5\n\tfor ;\n Wed, 22 Apr 2026 17:00:24 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 2BA4F60A55;\n\tWed, 22 Apr 2026 07:00:22 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id pYaJmjWO60gx; Wed, 22 Apr 2026 07:00:19 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id BB6EA60729;\n\tWed, 22 Apr 2026 07:00:19 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists1.osuosl.org (Postfix) with ESMTP id 3C2F224D\n for ; Wed, 22 Apr 2026 07:00:18 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id 3648B40224\n for ; Wed, 22 Apr 2026 07:00:18 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Z3ivGLG_FMpx for ;\n Wed, 22 Apr 2026 07:00:17 +0000 (UTC)","from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 5144E4007C\n for ; Wed, 22 Apr 2026 07:00:16 +0000 (UTC)","from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233])\n by smtpout-02.galae.net (Postfix) with ESMTPS id 441BB1A339F;\n Wed, 22 Apr 2026 07:00:14 +0000 (UTC)","from mail.galae.net (mail.galae.net [212.83.136.155])\n by smtpout-01.galae.net (Postfix) with ESMTPS id 0B3A5600DD;\n Wed, 22 Apr 2026 07:00:14 +0000 (UTC)","from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)\n with ESMTPSA id 30FE910460B43;\n Wed, 22 Apr 2026 09:00:12 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org BB6EA60729","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5144E4007C"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776841219;\n\tbh=prxJU8+fyMF09Y1n72ByMRjH20OOXAvImD97e/f33bI=;\n\th=Date:Cc:To:References:In-Reply-To:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=Nlzcapp+JM7eBlEJCnKBNpCHqPy1LXIm95vIzuK5uU7e5xW6g4cxuSzkqNnW2lfkz\n\t tLdHbFAbLYb6147eGlTKlUfXHwOJkRAVod1L+/WWIAKM4DqWXK10JzchCr0C+ISNPQ\n\t U0ZUcxuFQpxk+uoIpYwicjz3AsBut207kKzKTyqeT7T+q4v2Ed/r1nRLR74rP4gC+u\n\t guWMav1QysPCzt+o/bzWPTnTQlEUUqCVgkaAuUkW/BnTuamOg6JssqsjxjM5w3paZf\n\t raUdOTRz9h9NJB6wdp8I/AtZxKZWhq5H8Y8q7Tdx/Uffi0iarqcuVc7CiXMQPAazmz\n\t 0C47KYrkyhSEg==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=185.246.84.56;\n helo=smtpout-02.galae.net; envelope-from=alexis.lothore@bootlin.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 5144E4007C","Mime-Version":"1.0","Date":"Wed, 22 Apr 2026 09:00:12 +0200","Message-Id":"","Cc":"=?utf-8?q?Alexis_Lothor=C3=A9?= ","To":"\"Bernd Kuhls\" , ","X-Mailer":"aerc 0.21.0-0-g5549850facc2","References":"<20260421184831.2576691-1-bernd@kuhls.net>","In-Reply-To":"<20260421184831.2576691-1-bernd@kuhls.net>","X-Last-TLS-Session-Version":"TLSv1.3","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=bootlin.com; s=dkim;\n t=1776841213; h=from:subject:date:message-id:to:cc:mime-version:content-type:\n content-transfer-encoding:in-reply-to:references;\n bh=zN79tVspndX/csc90pSEz3LvBl5djPCZlxXgouVXawM=;\n b=W488CqNMm7oxeM1aEontTOmCQ1FApmHS1Oy4ZssQqMQvzJMMWv4S6d5JgK+ZxyZH55qAzE\n MWS6c5huf2iYeAW+PPdbE+Ks3qJZN/d7uvfK7EmFXRY46EQJ4RLDmFcBkcA1+oCPtfvZ31\n iIFb6iMp+/KT2zbaZW1UQxKhRfGvOt6zrrc6j9zRzg4PTYzkplwltgEdJSttkHCLylk0de\n KJbcp/iCtPaiMd58i8y72y7i+BaPLKzZxsigiZFoacLKPpXT5KxuiSNZ/8oaP61gNlH618\n P3KmfKGRUpyPYkDtRZMuE1l3nBvqtopHeYIx85dwKAI3orV2Qc6w0W+gVstxkw==","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=bootlin.com","smtp2.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=bootlin.com header.i=@bootlin.com header.a=rsa-sha256\n header.s=dkim header.b=W488CqNM"],"Subject":"Re: [Buildroot] [PATCH 1/2] package/opensc: security bump version\n to 0.27.1","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"=?utf-8?q?Alexis_Lothor=C3=A9_via_buildroot?= ","Reply-To":"=?utf-8?q?Alexis_Lothor=C3=A9?= ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}},{"id":3680246,"web_url":"http://patchwork.ozlabs.org/comment/3680246/","msgid":"","list_archive_url":null,"date":"2026-04-22T07:02:24","subject":"Re: [Buildroot] [PATCH 1/2] package/opensc: security bump version\n to 0.27.1","submitter":{"id":85775,"url":"http://patchwork.ozlabs.org/api/people/85775/","name":"Alexis Lothoré","email":"alexis.lothore@bootlin.com"},"content":"On Wed Apr 22, 2026 at 9:00 AM CEST, Alexis Lothoré wrote:\n> On Tue Apr 21, 2026 at 8:48 PM CEST, Bernd Kuhls wrote:\n>> https://github.com/OpenSC/OpenSC/blob/0.27.1/NEWS\n>>\n>> Switched to sha256 tarball hash provided by upstream.\n>>\n>> Removed patch which is included in this release.\n>>\n>> Fixes the following CVEs:\n>> * CVE-2025-13763: Several uses of potentially uninitialized memory\n>> detected by fuzzers\n>> * CVE-2025-49010: Possible write beyond buffer bounds during processing\n>> of GET RESPONSE APDU\n>> * CVE-2025-66215: Possible write beyond buffer bounds in oberthur driver\n>> * CVE-2025-66038: Possible read beyond buffer bounds when parsing\n>> historical bytes in PIV driver\n>> * CVE-2025-66037: Possible buffer overrun while parsing SPKI\n>>\n>> Signed-off-by: Bernd Kuhls \n>\n> I suspect the CC on my address to be a mistake, as my name can be found\n> for the openscAP package.\n\nAh, nevermind, I missed the openscap related patch in the same series\n\n>\n> LGTM though ;)\n>\n> Thanks,\n>\n> Alexis","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=GWu7sLAv;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0qt23qY5z1yD5\n\tfor ;\n Wed, 22 Apr 2026 17:02:34 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id AA59560A55;\n\tWed, 22 Apr 2026 07:02:32 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id hyV2COqeVLag; Wed, 22 Apr 2026 07:02:32 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id CD58460BAB;\n\tWed, 22 Apr 2026 07:02:31 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id DD3D724D\n for ; Wed, 22 Apr 2026 07:02:30 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id BF2F8845A1\n for ; Wed, 22 Apr 2026 07:02:28 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id giGRU75cEGrh for ;\n Wed, 22 Apr 2026 07:02:28 +0000 (UTC)","from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 8EECA845A3\n for ; Wed, 22 Apr 2026 07:02:27 +0000 (UTC)","from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233])\n by smtpout-02.galae.net (Postfix) with ESMTPS id ED4451A339F\n for ; Wed, 22 Apr 2026 07:02:25 +0000 (UTC)","from mail.galae.net (mail.galae.net [212.83.136.155])\n by smtpout-01.galae.net (Postfix) with ESMTPS id C567F600DD;\n Wed, 22 Apr 2026 07:02:25 +0000 (UTC)","from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)\n with ESMTPSA id AD44410460B45;\n Wed, 22 Apr 2026 09:02:24 +0200 (CEST)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp3.osuosl.org CD58460BAB","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8EECA845A3"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776841351;\n\tbh=UPmZehYY85m3OMKvCCECgT98o9XVjX58nlGLO0ATZm0=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\t List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\t From;\n\tb=GWu7sLAvQqoJOU10XMZ/UDXpk9tgyPnNKHeyJGzrA/av1sLv2WuSPP0qGIgZAx4qi\n\t DBrJ7w1Yl1f/71Am66wfuLPQzAWqqMcGxeNj9238GO222NbLMCjheOWLRORAjAmWVt\n\t L8gg2x+swKNvup3Mexe5K2fCbAduYWVcmFoG/6ew9+RzgJRywL/AO/pntnaRhFPj3N\n\t n68Y2VJr80hqomYrnvEsPcioQ0mErMQFJ7Nx1N7XeYd9UINmVp7yP7EvsXQ+ojhyU3\n\t LZTQ/Cu6kf+ECsHsQUuXwmp7L+wGliNSsg6tJdqpZem6LZXjPZmle/N+kGb3ztJyqa\n\t wLT15LC7PcHBg==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=185.246.84.56;\n helo=smtpout-02.galae.net; envelope-from=alexis.lothore@bootlin.com;\n receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 8EECA845A3","Mime-Version":"1.0","Date":"Wed, 22 Apr 2026 09:02:24 +0200","Message-Id":"","To":"=?utf-8?q?Alexis_Lothor=C3=A9?= ,\n \"Bernd Kuhls\" , ","X-Mailer":"aerc 0.21.0-0-g5549850facc2","References":"<20260421184831.2576691-1-bernd@kuhls.net>\n ","In-Reply-To":"","X-Last-TLS-Session-Version":"TLSv1.3","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=bootlin.com; s=dkim;\n t=1776841345; h=from:subject:date:message-id:to:mime-version:content-type:\n content-transfer-encoding:in-reply-to:references;\n bh=JMsmB5jqH1iOpKrdSd8qtiTDIk4eSoGwW5ioe63DUSM=;\n b=uvbvXCMaEtvSNE8NsGT7UW14AlgNx4DWTxGF5co4y9njPVN8hy7QRuYTtP6je7IXTFTW6K\n P7UiLfZmqTjFilM3PAXz3IyMXJRrM9Yyr2t5A8bqgmvtMAu7ZwZNiXh8U3O8DtvW0TFOKP\n ytzp4ErVMtSq6WxB3/2fQrO8Lj2QoxETY4KWxrS5tXbKPm647GVbkX5Vw0CDjve0LPRqXr\n QcZZFIE/YKAD2SDbb4OWnDdPb7UpZqcj3Q28M9U0iE3NW+0THNXTgwUeup1tXhiSqgfkjC\n nlZt43fuU9h35g+hpyKA6IS/19U2P16MiY4hxfK165uyNRwwmehSdtx2b+Vz3Q==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=reject dis=none)\n header.from=bootlin.com","smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=bootlin.com header.i=@bootlin.com header.a=rsa-sha256\n header.s=dkim header.b=uvbvXCMa"],"Subject":"Re: [Buildroot] [PATCH 1/2] package/opensc: security bump version\n to 0.27.1","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"=?utf-8?q?Alexis_Lothor=C3=A9_via_buildroot?= ","Reply-To":"=?utf-8?q?Alexis_Lothor=C3=A9?= ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]