Skip to content

Commit

Permalink
Add commit hashes for uninitialized memory CVEs
Browse files Browse the repository at this point in the history
  • Loading branch information
@xhanulik
xhanulik committed Sep 11, 2024
1 parent e0e50ec commit 75c89a8
Show file tree
Hide file tree
Showing 6 changed files with 44 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CVE-2024-45615.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,23 @@ The uninitialized variables were reflected in the following functions:
- [cac_read_file](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L423)
- calling function for reading files with uninitialized values for buffer and length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L389>)
- found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt
- fixed with 5e4f26b510b04624386c54816bf26aacea0fe4a1
- [piv_get_challenge](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-piv.c#L4460)
- uninitialized value later used in piv_get_challenge, since variables are not initialized by sc_asn1_read_tag (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-piv.c#L4459>)
- found via fuzz_pkcs11
- fixed with 7d68a7f442e38e16625270a0fdc6942c9e9437e6
- [sc_asn1_decode_object_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L838)
- uninitialized values come from sc_pkcs15_get_name_from_dn function (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-cert.c#L172>)
- found via fuzz_pkcs11
- fixed with bb3dedb71e59bd17f96fd4e807250a5cf2253cb7
- [sc_pkcs15emu_sc_hsm_decode_cvc](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-sc-hsm.c#L421)
- uninitialized values not filled by sc_asn1_read_tag function (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-sc-hsm.c#L389>)
- found via fuzz_pkcs15_crypt
- fixed with 42d718dfccd2a10f6d26705b8c991815c855fa3b
- do_init_app, [sc_pkcs15init_create_pin](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L1140)
- uninitialized value comes from do_pin_flags (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/profile.c#L1812>)
- found via fuzz_pkcs15init
- fixed with bde991b0fe4f0250243b0e4960978b1043c13b03

Affected versions: all before 0.26.0

Expand Down
18 changes: 17 additions & 1 deletion CVE-2024-45616.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,39 +10,55 @@ The uninitialized variables were reflected in these functions:
- uninitialized APDU response buffer, unchecked response length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L136>)
- uninitialized value used later by cardos_match_card
- found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode
- fixed with
- 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1
- 265b28344d036a462f38002d957a0636fda57614
- _itoa_word, called from [sc_hex_dump](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/log.c#L367)
- the problem arose from cac_cac1_get_certificate function with wrong calculation of certificate length based on the APDU rseponse length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac1.c#L95-L100>)
- found via fuzz_card, fuzz_pkcs15_crypt, fuzz_pkcs15_decode
- fixed with e7177c7ca00200afea820d155dca67f38b232967
- sc_bin_to_hex
- the problem arose from auth_select_aid function unchecked SW1 and SW2 after querying for serial number (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-oberthur.c#L163>)
- found via fuzz_pkcs11, fuzz_pkcs15_encode
- fixed with ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60
- strcmp, called from sc_asn1_read_tag
- the problem arose from gids_get_DO function with incorrect setting of buffer length, when buffer filled with APDU response (<https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-gids.c#L249-L253>)
- found via fuzz_pkcs15_decode,
- found via fuzz_pkcs15_decode
- fixed with 16ada9dc7cddf1cb99516aea67b6752c251c94a2
- [asn1_decode](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L1740)
- do_select not checking APDU response length before accessing APDu response buffer (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L590>)
- found via fuzz_pkcs11, fuzz_pkcs15_decode
- fixed with 3562969c90a71b0bcce979f0e6d627546073a7fc
- [process_fcp](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L508)
- do_select not checking APDU response length before accessing APDu response buffer (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L590>)
- fuzz_pkcs15_crypt
- fixed with 3562969c90a71b0bcce979f0e6d627546073a7fc
- [dnie_process_fci](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L2024)
- dnie_compose_and_send_apdu lacks checking for APDU response length before accessing response (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L1180>)
- found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode
- fixed with cccdfc46b10184d1eea62d07fe2b06240b7fafbc
- [iso7816_process_fci](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iso7816.c#L463)
- dnie_compose_and_send_apdu lacks checking for APDU response length before accessing response (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L1180>)
- found via fuzz_pkcs15_encode
- fixed with cccdfc46b10184d1eea62d07fe2b06240b7fafbc
- [sc_pkcs15init_parse_info](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L4564), [msc_extract_rsa_public_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/muscle.c#L620)
- incorrect return of APDU response data length in msc_partial_read_object (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/muscle.c#L96>)
- uninitialized part of buffer after actual length accessed by sc_pkcs15init_parse_info
- found via fuzz_pkcs11, fuzz_pkcs15init
- fixed with 5fa758767e517779fc5398b6b4faedc4e36d3de5
- [sc_bin_to_hex](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L155)
- unchecked APDU response length when querying for serial number in auth_select_aid (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-oberthur.c#L163>)
- found via fuzz_pkcs15_crypt, fuzz_pkcs15init, fuzz_pkcs15_decode
- fixed with ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60
- [gids_read_masterfile](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-gids.c#L368)
- the problem arose from gids_get_DO function with incorrect setting of buffer length, when buffer filled with APDU response (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-gids.c#L249-L253>)
- fixed with
- 76115e34799906a64202df952a8a9915d30bc89d
- 16ada9dc7cddf1cb99516aea67b6752c251c94a2
- [sc_bin_to_hex](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L155)
- unchecked value of APDU response length in function entersafe_get_serialnr (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-entersafe.c#L1424>)
- found via fuzz_pkcs15_reader
- fixed with aa102cd9abe1b0eaf537d9dd926844a46060d8bc

Affected versions: all before 0.26.0

Expand Down
3 changes: 3 additions & 0 deletions CVE-2024-45617.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,15 @@ The uninitialized variables were reflected in the following functions:
- bcdmp, called from [cac_list_compare_path](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac-common.c#L73)
- in function cac_parse_aid, code accesses path buffer by cac_list_compare_path, when function for selecting file fails (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L1296>)
- found via fuzz_pkcs11, fuzz_pkcs15_decode
- fixed with fdb9e903eb124b6b18a5a9350a26eceb775585bc
- [cardos_lifecycle_get](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L1288)
- incorrect check for error status leading into not propagating the error and usage of uninitialized value (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L1284>)
- found via fuzz_pkcs11
- fixed with 21d869b77792b6f189eebf373e399747177d99e2
- [sc_pkcs15_read_file](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15.c#L2535)
- incorrect checking of return value in jpki_select_file (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-jpki.c#L196>)
- found via fuzz_pkcs15_encode
- fixed with efbc14ffa190e3e0ceecceb479024bb778b0ab68

Affected versions: all before 0.26.0

Expand Down
3 changes: 3 additions & 0 deletions CVE-2024-45618.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,15 @@ The uninitialized variables were reflected in the following functions:

- strlen, called from [set_string](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L252)
- no checking of return value in sc_pkcs15emu_tcos_init_ex (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L536>)
- fixed with 8632ec172beda894581d67eaa991e519a7874f7d
- [sc_build_pin](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sec.c#L281)
- missing error handling in sc_pkcs15init_verify_secret (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L3831-L3841>)
- found via fuzz_pkcs15init
- fixed with f9d68660f032ad4d7803431d5fc7577ea8792ac3
- DES_set_key_unchecked, called from [openssl_enc](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-epass2003.c#L295)
- missing error handling in sc_pkcs15init_verify_secret (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L3831-L3841>)
- found via fuzz_pkcs15init
- fixed with f9d68660f032ad4d7803431d5fc7577ea8792ac3

Affected versions: all before 0.26.0

Expand Down
10 changes: 10 additions & 0 deletions CVE-2024-45619.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,33 @@ The uninitialized variables were reflected in the following functions:
- [insert_cert](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L70)
- missing check for empty read file (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L65>)
- found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode, fuzz_pkcs15_encode
- fixed with
- f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d
- a1d8c01c1cabd115dda8c298941d1786fb4c5c2f
- [asn1_encode_path](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L1219)
- function insert_cert accessing buffer after filled length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L70-L77>)
- found via fuzz_pkcs15_encode
- fixed with
- f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d
- a1d8c01c1cabd115dda8c298941d1786fb4c5c2f
- [gemsafe_get_cert_len](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-gemsafeV1.c#L252)
- accessing uninit(<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L763>), [iasecc_se_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L331)
- missing checks for accessing data buffer (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L764> and <https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L322>)
- found via fuzz_pkcs15init
- fixed with 673065630bf4aaf03c370fc791ef6a6239431214
- [setcos_generate_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L511)
- missing check for data length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L507>)
- found via fuzz_pkcs15init
- fixed with e20ca25204c9c5e36f53ae92ddf017cd17d07e31
- [sc_hsm_determine_free_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L144)
- incorrect checking of file list length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L143>)
- found via fuzz_pkcs15initialized part of buffer without checking actual buffer length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-gemsafeV1.c#L180>)
- found via fuzz_pkcs15_crypt, fuzz_pkcs15_decode
- fixed with 2b6cd52775b5448f6a993922a30c7a38d9626134
- [coolkey_rsa_op](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-coolkey.c#L1771)
- missing check for length of buffer (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-coolkey.c#L1770>)
- found via fuzz_pkcs15_reader
- fixed with dd554a2e1e31e6cb75c627c653652696d61e8de8

Affected versions: all before 0.26.0

Expand Down
6 changes: 6 additions & 0 deletions CVE-2024-45620.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,21 @@ The uninitialized variables were reflected in the following functions:
- [starcos_write_pukey](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-starcos.c#L683)
- lack of checking file length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-starcos.c#L671>)
- found via fuzz_pkcs15init
- fixed with a1bcc6516f43d570899820d259b71c53f8049168
- [iasecc_sdo_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L763), [iasecc_se_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L331)
- missing checks for accessing data buffer (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L764> and <https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L322>)
- found via fuzz_pkcs15init
- fixed with
- 6baa19596598169d652659863470a60c5ed79ecd
- 468a314d76b26f724a551f2eb339dd17c856cf18
- [setcos_generate_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L511)
- missing check for data length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L507>)
- found via fuzz_pkcs15init
- fixed with e20ca25204c9c5e36f53ae92ddf017cd17d07e31
- [sc_hsm_determine_free_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L144)
- incorrect checking of file list length (<https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L143>)
- found via fuzz_pkcs15init
- fixed with 2b6cd52775b5448f6a993922a30c7a38d9626134

Affected versions: all before 0.26.0

Expand Down

0 comments on commit 75c89a8

Please sign in to comment.