Message ID | 20231226161129.686616-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/opensc: security bump to version 0.24.0 | expand |
Fabrice, All, On 2023-12-26 17:11 +0100, Fabrice Fontaine spake thusly: > - Drop patches (already in version) and so drop autoreconf > - Fix the following security issues: > - CVE-2023-40660: Fix Potential PIN bypass > - CVE-2023-40661: Important dynamic analyzers reports > - CVE-2023-4535: Out-of-bounds read in MyEID driver handling > encryption using symmetric keys > > https://github.com/OpenSC/OpenSC/releases/tag/0.24.0 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > ...ed-compatibility-with-LibreSSL-3.5.0.patch | 54 --------------- > ...ed-compatibility-with-LibreSSL-3.7.0.patch | 28 -------- > ...onfigure-add-option-to-disable-tests.patch | 67 ------------------- > ...alculation-to-fix-buffer-overrun-bug.patch | 51 -------------- > ...L-does-provide-EVP_sha3_-after-3-7-3.patch | 32 --------- > ...ixed-detection-of-SHA3-compatibility.patch | 27 -------- > package/opensc/opensc.hash | 2 +- > package/opensc/opensc.mk | 7 +- > 8 files changed, 2 insertions(+), 266 deletions(-) > delete mode 100644 package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch > delete mode 100644 package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch > delete mode 100644 package/opensc/0003-configure-add-option-to-disable-tests.patch > delete mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch > delete mode 100644 package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch > delete mode 100644 package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch > > diff --git a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch b/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch > deleted file mode 100644 > index 0daf75d5ba..0000000000 > --- a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch > +++ /dev/null > @@ -1,54 +0,0 @@ > -From da01e5fab9be9865db1aac203e574e0edbfd6584 Mon Sep 17 00:00:00 2001 > -From: Frank Morgner <frankmorgner@gmail.com> > -Date: Wed, 14 Dec 2022 09:31:29 +0100 > -Subject: [PATCH] fixed compatibility with LibreSSL >= 3.5.0 > - > -fixes https://github.com/OpenSC/OpenSC/issues/2664 > - > -Upstream: https://github.com/OpenSC/OpenSC/commit/da01e5fab9be9865db1aac203e574e0edbfd6584 > - > -Signed-off-by: Bernd Kuhls <bernd@kuhls.net> > ---- > - src/libopensc/card-iasecc.c | 12 +----------- > - src/libopensc/sc-ossl-compat.h | 1 + > - 2 files changed, 2 insertions(+), 11 deletions(-) > - > -diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c > -index 480c1cf87b..1347ed2393 100644 > ---- a/src/libopensc/card-iasecc.c > -+++ b/src/libopensc/card-iasecc.c > -@@ -38,21 +38,11 @@ > - #include <openssl/pkcs12.h> > - #include <openssl/x509v3.h> > - > --/* > -- * OpenSSL-3.0.0 does not allow access to the SHA data > -- * so this driver can not produces signatures > -- * OpenSSL 1.1.1 uses EVP_MD_CTX_md_data > -- * LibreSSL > -- */ > -- > --#if defined(LIBRESSL_VERSION_NUMBER) > --# define EVP_MD_CTX_md_data(x) (x->md_data) > --#endif > -- > - #include "internal.h" > - #include "asn1.h" > - #include "cardctl.h" > - #include "opensc.h" > -+#include "sc-ossl-compat.h" > - /* #include "sm.h" */ > - #include "pkcs15.h" > - /* #include "hash-strings.h" */ > -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h > -index da53ca8cee..8c0f96701c 100644 > ---- a/src/libopensc/sc-ossl-compat.h > -+++ b/src/libopensc/sc-ossl-compat.h > -@@ -42,6 +42,7 @@ extern "C" { > - #define X509_get_extension_flags(x) (x->ex_flags) > - #define X509_get_key_usage(x) (x->ex_kusage) > - #define X509_get_extended_key_usage(x) (x->ex_xkusage) > -+#define EVP_MD_CTX_md_data(x) (x->md_data) > - #endif > - > - #if defined(LIBRESSL_VERSION_NUMBER) > diff --git a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch b/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch > deleted file mode 100644 > index 6bbbea6ce6..0000000000 > --- a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch > +++ /dev/null > @@ -1,28 +0,0 @@ > -From 98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 Mon Sep 17 00:00:00 2001 > -From: Frank Morgner <frankmorgner@gmail.com> > -Date: Fri, 16 Dec 2022 11:56:28 +0100 > -Subject: [PATCH] fixed compatibility with LibreSSL 3.7.0 > - > -Upstream: https://github.com/OpenSC/OpenSC/commit/98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 > - > -Signed-off-by: Bernd Kuhls <bernd@kuhls.net> > ---- > - src/libopensc/sc-ossl-compat.h | 2 ++ > - 1 file changed, 2 insertions(+) > - > -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h > -index 8c0f96701c..4425da93f3 100644 > ---- a/src/libopensc/sc-ossl-compat.h > -+++ b/src/libopensc/sc-ossl-compat.h > -@@ -54,9 +54,11 @@ extern "C" { > - #define EVP_sha3_256() (NULL) > - #define EVP_sha3_384() (NULL) > - #define EVP_sha3_512() (NULL) > -+#if LIBRESSL_VERSION_NUMBER < 0x3070000fL > - #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL) > - #define EVP_PKEY_get_raw_public_key(p, pu, l) (0) > - #endif > -+#endif > - > - /* OpenSSL 1.1.1 has FIPS_mode function */ > - #if OPENSSL_VERSION_NUMBER >= 0x30000000L > diff --git a/package/opensc/0003-configure-add-option-to-disable-tests.patch b/package/opensc/0003-configure-add-option-to-disable-tests.patch > deleted file mode 100644 > index 29342026c1..0000000000 > --- a/package/opensc/0003-configure-add-option-to-disable-tests.patch > +++ /dev/null > @@ -1,67 +0,0 @@ > -From 3c3ed2ecbf31d41b6e5406da55971b9d9eaa3388 Mon Sep 17 00:00:00 2001 > -From: Bernd Kuhls <bernd@kuhls.net> > -Date: Mon, 24 Jul 2023 22:28:11 +0200 > -Subject: [PATCH] configure: add option to disable tests > - > -Upstream: https://github.com/OpenSC/OpenSC/pull/2822 > - > -Signed-off-by: Bernd Kuhls <bernd@kuhls.net> > ---- > - configure.ac | 9 +++++++++ > - src/Makefile.am | 6 +++++- > - 2 files changed, 14 insertions(+), 1 deletion(-) > - > -diff --git a/configure.ac b/configure.ac > -index 0a90445b..9b7543da 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -272,6 +272,13 @@ AC_ARG_ENABLE( > - [enable_doc="no"] > - ) > - > -+AC_ARG_ENABLE( > -+ [tests], > -+ [AS_HELP_STRING([--enable-tests],[enable tests @<:@enabled@:>@])], > -+ , > -+ [enable_tests="yes"] > -+) > -+ > - AC_ARG_ENABLE( > - [dnie-ui], > - [AS_HELP_STRING([--enable-dnie-ui],[enable use of external user interface program to request DNIe pin@<:@disabled@:>@])], > -@@ -1119,6 +1126,7 @@ AM_CONDITIONAL([ENABLE_NOTIFY], [test "${enable_notify}" = "yes"]) > - AM_CONDITIONAL([ENABLE_CRYPTOTOKENKIT], [test "${enable_cryptotokenkit}" = "yes"]) > - AM_CONDITIONAL([ENABLE_OPENCT], [test "${enable_openct}" = "yes"]) > - AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"]) > -+AM_CONDITIONAL([ENABLE_TESTS], [test "${enable_tests}" = "yes"]) > - AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) > - AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"]) > - AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"]) > -@@ -1213,6 +1221,7 @@ XSL stylesheets: ${xslstylesheetsdir} > - > - man support: ${enable_man} > - doc support: ${enable_doc} > -+tests: ${enable_tests} > - thread locking support: ${enable_thread_locking} > - zlib support: ${enable_zlib} > - readline support: ${enable_readline} > -diff --git a/src/Makefile.am b/src/Makefile.am > -index 3ce465bf..bf71b61f 100644 > ---- a/src/Makefile.am > -+++ b/src/Makefile.am > -@@ -3,7 +3,11 @@ EXTRA_DIST = Makefile.mak > - > - # Order IS important > - SUBDIRS = common scconf ui pkcs15init sm \ > -- libopensc pkcs11 tools minidriver tests > -+ libopensc pkcs11 tools minidriver > -+ > -+if ENABLE_TESTS > -+SUBDIRS += tests > -+endif > - > - if ENABLE_SM > - SUBDIRS += smm > --- > -2.39.2 > - > diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch > deleted file mode 100644 > index 079f960b59..0000000000 > --- a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch > +++ /dev/null > @@ -1,51 +0,0 @@ > -From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 > -From: fullwaywang <fullwaywang@tencent.com> > -Date: Mon, 29 May 2023 10:38:48 +0800 > -Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer > - overrun bug. Fixes #2785 > - > -Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a > -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > ---- > - src/pkcs15init/pkcs15-cardos.c | 10 +++++----- > - 1 file changed, 5 insertions(+), 5 deletions(-) > - > -diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c > -index 9715cf390f..f41f73c349 100644 > ---- a/src/pkcs15init/pkcs15-cardos.c > -+++ b/src/pkcs15init/pkcs15-cardos.c > -@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) > - sc_apdu_t apdu; > - u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; > - int r; > -- const u8 *p = rbuf, *q; > -+ const u8 *p = rbuf, *q, *pp; > - size_t len, tlen = 0, ilen = 0; > - > - sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); > -@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) > - return 0; > - > - while (len != 0) { > -- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); > -- if (p == NULL) > -+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); > -+ if (pp == NULL) > - return 0; > - if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { > - /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ > - /* and Package Number 0x07 */ > -- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); > -+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); > - if (q == NULL || ilen != 4) > - return 0; > - if (q[0] == 0x07) > -@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) > - } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { > - /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ > - /* and Package Number 0x02 */ > -- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); > -+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); > - if (q == NULL || ilen != 4) > - return 0; > - if (q[0] == 0x02) > diff --git a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch b/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch > deleted file mode 100644 > index 80c19a3f5f..0000000000 > --- a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch > +++ /dev/null > @@ -1,32 +0,0 @@ > -From e015242590ad9131e124232cc5a2fd02d525ef2c Mon Sep 17 00:00:00 2001 > -From: Klemens Nanni <kn@openbsd.org> > -Date: Thu, 29 Jun 2023 02:41:43 +0300 > -Subject: [PATCH] LibreSSL does provide EVP_sha3_*() after 3.7.3 > - > -Support was added in 16.04.2023. > - > -Compile- and run-tested on OpenBSD/amd64 7.3-current. > - > -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > -Upstream: https://github.com/OpenSC/OpenSC/commit/e015242590ad9131e124232cc5a2fd02d525ef2c > ---- > - src/libopensc/sc-ossl-compat.h | 2 ++ > - 1 file changed, 2 insertions(+) > - > -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h > -index df0cebbce2..8012cd4c0f 100644 > ---- a/src/libopensc/sc-ossl-compat.h > -+++ b/src/libopensc/sc-ossl-compat.h > -@@ -50,10 +50,12 @@ extern "C" { > - #if LIBRESSL_VERSION_NUMBER < 0x30500000L > - #define FIPS_mode() (0) > - #endif > -+#ifndef EVP_sha3_224 > - #define EVP_sha3_224() (NULL) > - #define EVP_sha3_256() (NULL) > - #define EVP_sha3_384() (NULL) > - #define EVP_sha3_512() (NULL) > -+#endif > - #if LIBRESSL_VERSION_NUMBER < 0x3070000fL > - #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL) > - #define EVP_PKEY_get_raw_public_key(p, pu, l) (0) > diff --git a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch b/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch > deleted file mode 100644 > index 3d8aa7e4ef..0000000000 > --- a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch > +++ /dev/null > @@ -1,27 +0,0 @@ > -From 33351d91aa22fa8077847ba3f19abb5a00b04600 Mon Sep 17 00:00:00 2001 > -From: Frank Morgner <frankmorgner@gmail.com> > -Date: Tue, 15 Aug 2023 17:58:21 +0200 > -Subject: [PATCH] fixed detection of SHA3 compatibility > - > -fixes https://github.com/OpenSC/OpenSC/issues/2836 > - > -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> > -Upstream: https://github.com/OpenSC/OpenSC/commit/33351d91aa22fa8077847ba3f19abb5a00b04600 > ---- > - src/libopensc/sc-ossl-compat.h | 3 ++- > - 1 file changed, 2 insertions(+), 1 deletion(-) > - > -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h > -index 8012cd4c0f..96ec4bd736 100644 > ---- a/src/libopensc/sc-ossl-compat.h > -+++ b/src/libopensc/sc-ossl-compat.h > -@@ -50,7 +50,8 @@ extern "C" { > - #if LIBRESSL_VERSION_NUMBER < 0x30500000L > - #define FIPS_mode() (0) > - #endif > --#ifndef EVP_sha3_224 > -+/* OpenSSL 1.1.1 has EVP_sha3_* */ > -+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30800000L > - #define EVP_sha3_224() (NULL) > - #define EVP_sha3_256() (NULL) > - #define EVP_sha3_384() (NULL) > diff --git a/package/opensc/opensc.hash b/package/opensc/opensc.hash > index e8e675667e..232222062c 100644 > --- a/package/opensc/opensc.hash > +++ b/package/opensc/opensc.hash > @@ -1,5 +1,5 @@ > # Computed locally from https://https://github.com/OpenSC/OpenSC/releases/ > -sha256 a4844a6ea03a522ecf35e49659716dacb6be03f7c010a1a583aaf3eb915ed2e0 opensc-0.23.0.tar.gz > +sha256 24d03c69287291da32a30c4c38a304ad827f56cb85d83619e1f5403ab6480ef8 opensc-0.24.0.tar.gz > > # Computed locally > sha256 376b54d4c5f4aa99421823fa4da93e3ab73096fce2400e89858632aa7da24a14 COPYING > diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk > index 823bc50102..49bdcae37a 100644 > --- a/package/opensc/opensc.mk > +++ b/package/opensc/opensc.mk > @@ -4,18 +4,13 @@ > # > ################################################################################ > > -OPENSC_VERSION = 0.23.0 > +OPENSC_VERSION = 0.24.0 > OPENSC_SITE = https://github.com/OpenSC/OpenSC/releases/download/$(OPENSC_VERSION) > OPENSC_LICENSE = LGPL-2.1+ > OPENSC_LICENSE_FILES = COPYING > OPENSC_CPE_ID_VENDOR = opensc_project > -# 0003-configure-add-option-to-disable-tests.patch > -OPENSC_AUTORECONF = YES > OPENSC_DEPENDENCIES = openssl pcsc-lite > OPENSC_INSTALL_STAGING = YES > OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests > > -# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch > -OPENSC_IGNORE_CVES += CVE-2023-2977 > - > $(eval $(autotools-package)) > -- > 2.43.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > - Drop patches (already in version) and so drop autoreconf > - Fix the following security issues: > - CVE-2023-40660: Fix Potential PIN bypass > - CVE-2023-40661: Important dynamic analyzers reports > - CVE-2023-4535: Out-of-bounds read in MyEID driver handling > encryption using symmetric keys > https://github.com/OpenSC/OpenSC/releases/tag/0.24.0 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2023.02.x and 2023.11.x, thanks.
diff --git a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch b/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch deleted file mode 100644 index 0daf75d5ba..0000000000 --- a/package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch +++ /dev/null @@ -1,54 +0,0 @@ -From da01e5fab9be9865db1aac203e574e0edbfd6584 Mon Sep 17 00:00:00 2001 -From: Frank Morgner <frankmorgner@gmail.com> -Date: Wed, 14 Dec 2022 09:31:29 +0100 -Subject: [PATCH] fixed compatibility with LibreSSL >= 3.5.0 - -fixes https://github.com/OpenSC/OpenSC/issues/2664 - -Upstream: https://github.com/OpenSC/OpenSC/commit/da01e5fab9be9865db1aac203e574e0edbfd6584 - -Signed-off-by: Bernd Kuhls <bernd@kuhls.net> ---- - src/libopensc/card-iasecc.c | 12 +----------- - src/libopensc/sc-ossl-compat.h | 1 + - 2 files changed, 2 insertions(+), 11 deletions(-) - -diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c -index 480c1cf87b..1347ed2393 100644 ---- a/src/libopensc/card-iasecc.c -+++ b/src/libopensc/card-iasecc.c -@@ -38,21 +38,11 @@ - #include <openssl/pkcs12.h> - #include <openssl/x509v3.h> - --/* -- * OpenSSL-3.0.0 does not allow access to the SHA data -- * so this driver can not produces signatures -- * OpenSSL 1.1.1 uses EVP_MD_CTX_md_data -- * LibreSSL -- */ -- --#if defined(LIBRESSL_VERSION_NUMBER) --# define EVP_MD_CTX_md_data(x) (x->md_data) --#endif -- - #include "internal.h" - #include "asn1.h" - #include "cardctl.h" - #include "opensc.h" -+#include "sc-ossl-compat.h" - /* #include "sm.h" */ - #include "pkcs15.h" - /* #include "hash-strings.h" */ -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h -index da53ca8cee..8c0f96701c 100644 ---- a/src/libopensc/sc-ossl-compat.h -+++ b/src/libopensc/sc-ossl-compat.h -@@ -42,6 +42,7 @@ extern "C" { - #define X509_get_extension_flags(x) (x->ex_flags) - #define X509_get_key_usage(x) (x->ex_kusage) - #define X509_get_extended_key_usage(x) (x->ex_xkusage) -+#define EVP_MD_CTX_md_data(x) (x->md_data) - #endif - - #if defined(LIBRESSL_VERSION_NUMBER) diff --git a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch b/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch deleted file mode 100644 index 6bbbea6ce6..0000000000 --- a/package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 Mon Sep 17 00:00:00 2001 -From: Frank Morgner <frankmorgner@gmail.com> -Date: Fri, 16 Dec 2022 11:56:28 +0100 -Subject: [PATCH] fixed compatibility with LibreSSL 3.7.0 - -Upstream: https://github.com/OpenSC/OpenSC/commit/98ad0f93b0a7673cdce82e1b3faa7dc314c64dd6 - -Signed-off-by: Bernd Kuhls <bernd@kuhls.net> ---- - src/libopensc/sc-ossl-compat.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h -index 8c0f96701c..4425da93f3 100644 ---- a/src/libopensc/sc-ossl-compat.h -+++ b/src/libopensc/sc-ossl-compat.h -@@ -54,9 +54,11 @@ extern "C" { - #define EVP_sha3_256() (NULL) - #define EVP_sha3_384() (NULL) - #define EVP_sha3_512() (NULL) -+#if LIBRESSL_VERSION_NUMBER < 0x3070000fL - #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL) - #define EVP_PKEY_get_raw_public_key(p, pu, l) (0) - #endif -+#endif - - /* OpenSSL 1.1.1 has FIPS_mode function */ - #if OPENSSL_VERSION_NUMBER >= 0x30000000L diff --git a/package/opensc/0003-configure-add-option-to-disable-tests.patch b/package/opensc/0003-configure-add-option-to-disable-tests.patch deleted file mode 100644 index 29342026c1..0000000000 --- a/package/opensc/0003-configure-add-option-to-disable-tests.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 3c3ed2ecbf31d41b6e5406da55971b9d9eaa3388 Mon Sep 17 00:00:00 2001 -From: Bernd Kuhls <bernd@kuhls.net> -Date: Mon, 24 Jul 2023 22:28:11 +0200 -Subject: [PATCH] configure: add option to disable tests - -Upstream: https://github.com/OpenSC/OpenSC/pull/2822 - -Signed-off-by: Bernd Kuhls <bernd@kuhls.net> ---- - configure.ac | 9 +++++++++ - src/Makefile.am | 6 +++++- - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 0a90445b..9b7543da 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -272,6 +272,13 @@ AC_ARG_ENABLE( - [enable_doc="no"] - ) - -+AC_ARG_ENABLE( -+ [tests], -+ [AS_HELP_STRING([--enable-tests],[enable tests @<:@enabled@:>@])], -+ , -+ [enable_tests="yes"] -+) -+ - AC_ARG_ENABLE( - [dnie-ui], - [AS_HELP_STRING([--enable-dnie-ui],[enable use of external user interface program to request DNIe pin@<:@disabled@:>@])], -@@ -1119,6 +1126,7 @@ AM_CONDITIONAL([ENABLE_NOTIFY], [test "${enable_notify}" = "yes"]) - AM_CONDITIONAL([ENABLE_CRYPTOTOKENKIT], [test "${enable_cryptotokenkit}" = "yes"]) - AM_CONDITIONAL([ENABLE_OPENCT], [test "${enable_openct}" = "yes"]) - AM_CONDITIONAL([ENABLE_DOC], [test "${enable_doc}" = "yes"]) -+AM_CONDITIONAL([ENABLE_TESTS], [test "${enable_tests}" = "yes"]) - AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) - AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"]) - AM_CONDITIONAL([ENABLE_MINIDRIVER], [test "${enable_minidriver}" = "yes"]) -@@ -1213,6 +1221,7 @@ XSL stylesheets: ${xslstylesheetsdir} - - man support: ${enable_man} - doc support: ${enable_doc} -+tests: ${enable_tests} - thread locking support: ${enable_thread_locking} - zlib support: ${enable_zlib} - readline support: ${enable_readline} -diff --git a/src/Makefile.am b/src/Makefile.am -index 3ce465bf..bf71b61f 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -3,7 +3,11 @@ EXTRA_DIST = Makefile.mak - - # Order IS important - SUBDIRS = common scconf ui pkcs15init sm \ -- libopensc pkcs11 tools minidriver tests -+ libopensc pkcs11 tools minidriver -+ -+if ENABLE_TESTS -+SUBDIRS += tests -+endif - - if ENABLE_SM - SUBDIRS += smm --- -2.39.2 - diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch deleted file mode 100644 index 079f960b59..0000000000 --- a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 -From: fullwaywang <fullwaywang@tencent.com> -Date: Mon, 29 May 2023 10:38:48 +0800 -Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer - overrun bug. Fixes #2785 - -Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> ---- - src/pkcs15init/pkcs15-cardos.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c -index 9715cf390f..f41f73c349 100644 ---- a/src/pkcs15init/pkcs15-cardos.c -+++ b/src/pkcs15init/pkcs15-cardos.c -@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) - sc_apdu_t apdu; - u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; - int r; -- const u8 *p = rbuf, *q; -+ const u8 *p = rbuf, *q, *pp; - size_t len, tlen = 0, ilen = 0; - - sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); -@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) - return 0; - - while (len != 0) { -- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); -- if (p == NULL) -+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); -+ if (pp == NULL) - return 0; - if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { - /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ - /* and Package Number 0x07 */ -- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); -+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); - if (q == NULL || ilen != 4) - return 0; - if (q[0] == 0x07) -@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) - } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { - /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ - /* and Package Number 0x02 */ -- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); -+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); - if (q == NULL || ilen != 4) - return 0; - if (q[0] == 0x02) diff --git a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch b/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch deleted file mode 100644 index 80c19a3f5f..0000000000 --- a/package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e015242590ad9131e124232cc5a2fd02d525ef2c Mon Sep 17 00:00:00 2001 -From: Klemens Nanni <kn@openbsd.org> -Date: Thu, 29 Jun 2023 02:41:43 +0300 -Subject: [PATCH] LibreSSL does provide EVP_sha3_*() after 3.7.3 - -Support was added in 16.04.2023. - -Compile- and run-tested on OpenBSD/amd64 7.3-current. - -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> -Upstream: https://github.com/OpenSC/OpenSC/commit/e015242590ad9131e124232cc5a2fd02d525ef2c ---- - src/libopensc/sc-ossl-compat.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h -index df0cebbce2..8012cd4c0f 100644 ---- a/src/libopensc/sc-ossl-compat.h -+++ b/src/libopensc/sc-ossl-compat.h -@@ -50,10 +50,12 @@ extern "C" { - #if LIBRESSL_VERSION_NUMBER < 0x30500000L - #define FIPS_mode() (0) - #endif -+#ifndef EVP_sha3_224 - #define EVP_sha3_224() (NULL) - #define EVP_sha3_256() (NULL) - #define EVP_sha3_384() (NULL) - #define EVP_sha3_512() (NULL) -+#endif - #if LIBRESSL_VERSION_NUMBER < 0x3070000fL - #define EVP_PKEY_new_raw_public_key(t, e, p, l) (NULL) - #define EVP_PKEY_get_raw_public_key(p, pu, l) (0) diff --git a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch b/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch deleted file mode 100644 index 3d8aa7e4ef..0000000000 --- a/package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 33351d91aa22fa8077847ba3f19abb5a00b04600 Mon Sep 17 00:00:00 2001 -From: Frank Morgner <frankmorgner@gmail.com> -Date: Tue, 15 Aug 2023 17:58:21 +0200 -Subject: [PATCH] fixed detection of SHA3 compatibility - -fixes https://github.com/OpenSC/OpenSC/issues/2836 - -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> -Upstream: https://github.com/OpenSC/OpenSC/commit/33351d91aa22fa8077847ba3f19abb5a00b04600 ---- - src/libopensc/sc-ossl-compat.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/libopensc/sc-ossl-compat.h b/src/libopensc/sc-ossl-compat.h -index 8012cd4c0f..96ec4bd736 100644 ---- a/src/libopensc/sc-ossl-compat.h -+++ b/src/libopensc/sc-ossl-compat.h -@@ -50,7 +50,8 @@ extern "C" { - #if LIBRESSL_VERSION_NUMBER < 0x30500000L - #define FIPS_mode() (0) - #endif --#ifndef EVP_sha3_224 -+/* OpenSSL 1.1.1 has EVP_sha3_* */ -+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x30800000L - #define EVP_sha3_224() (NULL) - #define EVP_sha3_256() (NULL) - #define EVP_sha3_384() (NULL) diff --git a/package/opensc/opensc.hash b/package/opensc/opensc.hash index e8e675667e..232222062c 100644 --- a/package/opensc/opensc.hash +++ b/package/opensc/opensc.hash @@ -1,5 +1,5 @@ # Computed locally from https://https://github.com/OpenSC/OpenSC/releases/ -sha256 a4844a6ea03a522ecf35e49659716dacb6be03f7c010a1a583aaf3eb915ed2e0 opensc-0.23.0.tar.gz +sha256 24d03c69287291da32a30c4c38a304ad827f56cb85d83619e1f5403ab6480ef8 opensc-0.24.0.tar.gz # Computed locally sha256 376b54d4c5f4aa99421823fa4da93e3ab73096fce2400e89858632aa7da24a14 COPYING diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk index 823bc50102..49bdcae37a 100644 --- a/package/opensc/opensc.mk +++ b/package/opensc/opensc.mk @@ -4,18 +4,13 @@ # ################################################################################ -OPENSC_VERSION = 0.23.0 +OPENSC_VERSION = 0.24.0 OPENSC_SITE = https://github.com/OpenSC/OpenSC/releases/download/$(OPENSC_VERSION) OPENSC_LICENSE = LGPL-2.1+ OPENSC_LICENSE_FILES = COPYING OPENSC_CPE_ID_VENDOR = opensc_project -# 0003-configure-add-option-to-disable-tests.patch -OPENSC_AUTORECONF = YES OPENSC_DEPENDENCIES = openssl pcsc-lite OPENSC_INSTALL_STAGING = YES OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests -# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch -OPENSC_IGNORE_CVES += CVE-2023-2977 - $(eval $(autotools-package))
- Drop patches (already in version) and so drop autoreconf - Fix the following security issues: - CVE-2023-40660: Fix Potential PIN bypass - CVE-2023-40661: Important dynamic analyzers reports - CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys https://github.com/OpenSC/OpenSC/releases/tag/0.24.0 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- ...ed-compatibility-with-LibreSSL-3.5.0.patch | 54 --------------- ...ed-compatibility-with-LibreSSL-3.7.0.patch | 28 -------- ...onfigure-add-option-to-disable-tests.patch | 67 ------------------- ...alculation-to-fix-buffer-overrun-bug.patch | 51 -------------- ...L-does-provide-EVP_sha3_-after-3-7-3.patch | 32 --------- ...ixed-detection-of-SHA3-compatibility.patch | 27 -------- package/opensc/opensc.hash | 2 +- package/opensc/opensc.mk | 7 +- 8 files changed, 2 insertions(+), 266 deletions(-) delete mode 100644 package/opensc/0001-fixed-compatibility-with-LibreSSL-3.5.0.patch delete mode 100644 package/opensc/0002-fixed-compatibility-with-LibreSSL-3.7.0.patch delete mode 100644 package/opensc/0003-configure-add-option-to-disable-tests.patch delete mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch delete mode 100644 package/opensc/0005-LibreSSL-does-provide-EVP_sha3_-after-3-7-3.patch delete mode 100644 package/opensc/0006-fixed-detection-of-SHA3-compatibility.patch