diff --git a/CVE-2024-45615.md b/CVE-2024-45615.md index 37d3a5a..e0e95ea 100644 --- a/CVE-2024-45615.md +++ b/CVE-2024-45615.md @@ -9,18 +9,23 @@ The uninitialized variables were reflected in the following functions: - [cac_read_file](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L423) - calling function for reading files with uninitialized values for buffer and length () - found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt + - fixed with 5e4f26b510b04624386c54816bf26aacea0fe4a1 - [piv_get_challenge](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-piv.c#L4460) - uninitialized value later used in piv_get_challenge, since variables are not initialized by sc_asn1_read_tag () - found via fuzz_pkcs11 + - fixed with 7d68a7f442e38e16625270a0fdc6942c9e9437e6 - [sc_asn1_decode_object_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L838) - uninitialized values come from sc_pkcs15_get_name_from_dn function () - found via fuzz_pkcs11 + - fixed with bb3dedb71e59bd17f96fd4e807250a5cf2253cb7 - [sc_pkcs15emu_sc_hsm_decode_cvc](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-sc-hsm.c#L421) - uninitialized values not filled by sc_asn1_read_tag function () - found via fuzz_pkcs15_crypt + - fixed with 42d718dfccd2a10f6d26705b8c991815c855fa3b - do_init_app, [sc_pkcs15init_create_pin](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L1140) - uninitialized value comes from do_pin_flags () - found via fuzz_pkcs15init + - fixed with bde991b0fe4f0250243b0e4960978b1043c13b03 Affected versions: all before 0.26.0 diff --git a/CVE-2024-45616.md b/CVE-2024-45616.md index b1902f8..bc53a88 100644 --- a/CVE-2024-45616.md +++ b/CVE-2024-45616.md @@ -10,39 +10,55 @@ The uninitialized variables were reflected in these functions: - uninitialized APDU response buffer, unchecked response length () - uninitialized value used later by cardos_match_card - found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode + - fixed with + - 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1 + - 265b28344d036a462f38002d957a0636fda57614 - _itoa_word, called from [sc_hex_dump](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/log.c#L367) - the problem arose from cac_cac1_get_certificate function with wrong calculation of certificate length based on the APDU rseponse length () - found via fuzz_card, fuzz_pkcs15_crypt, fuzz_pkcs15_decode + - fixed with e7177c7ca00200afea820d155dca67f38b232967 - sc_bin_to_hex - the problem arose from auth_select_aid function unchecked SW1 and SW2 after querying for serial number () - found via fuzz_pkcs11, fuzz_pkcs15_encode + - fixed with ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60 - strcmp, called from sc_asn1_read_tag - the problem arose from gids_get_DO function with incorrect setting of buffer length, when buffer filled with APDU response () - - found via fuzz_pkcs15_decode, + - found via fuzz_pkcs15_decode + - fixed with 16ada9dc7cddf1cb99516aea67b6752c251c94a2 - [asn1_decode](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L1740) - do_select not checking APDU response length before accessing APDu response buffer () - found via fuzz_pkcs11, fuzz_pkcs15_decode + - fixed with 3562969c90a71b0bcce979f0e6d627546073a7fc - [process_fcp](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L508) - do_select not checking APDU response length before accessing APDu response buffer () - fuzz_pkcs15_crypt + - fixed with 3562969c90a71b0bcce979f0e6d627546073a7fc - [dnie_process_fci](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L2024) - dnie_compose_and_send_apdu lacks checking for APDU response length before accessing response () - found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode + - fixed with cccdfc46b10184d1eea62d07fe2b06240b7fafbc - [iso7816_process_fci](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iso7816.c#L463) - dnie_compose_and_send_apdu lacks checking for APDU response length before accessing response () - found via fuzz_pkcs15_encode + - fixed with cccdfc46b10184d1eea62d07fe2b06240b7fafbc - [sc_pkcs15init_parse_info](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L4564), [msc_extract_rsa_public_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/muscle.c#L620) - incorrect return of APDU response data length in msc_partial_read_object () - uninitialized part of buffer after actual length accessed by sc_pkcs15init_parse_info - found via fuzz_pkcs11, fuzz_pkcs15init + - fixed with 5fa758767e517779fc5398b6b4faedc4e36d3de5 - [sc_bin_to_hex](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L155) - unchecked APDU response length when querying for serial number in auth_select_aid () - found via fuzz_pkcs15_crypt, fuzz_pkcs15init, fuzz_pkcs15_decode + - fixed with ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60 - [gids_read_masterfile](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-gids.c#L368) - the problem arose from gids_get_DO function with incorrect setting of buffer length, when buffer filled with APDU response () + - fixed with + - 76115e34799906a64202df952a8a9915d30bc89d + - 16ada9dc7cddf1cb99516aea67b6752c251c94a2 - [sc_bin_to_hex](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L155) - unchecked value of APDU response length in function entersafe_get_serialnr () - found via fuzz_pkcs15_reader + - fixed with aa102cd9abe1b0eaf537d9dd926844a46060d8bc Affected versions: all before 0.26.0 diff --git a/CVE-2024-45617.md b/CVE-2024-45617.md index 809b359..76a3776 100644 --- a/CVE-2024-45617.md +++ b/CVE-2024-45617.md @@ -9,12 +9,15 @@ The uninitialized variables were reflected in the following functions: - bcdmp, called from [cac_list_compare_path](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac-common.c#L73) - in function cac_parse_aid, code accesses path buffer by cac_list_compare_path, when function for selecting file fails () - found via fuzz_pkcs11, fuzz_pkcs15_decode + - fixed with fdb9e903eb124b6b18a5a9350a26eceb775585bc - [cardos_lifecycle_get](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L1288) - incorrect check for error status leading into not propagating the error and usage of uninitialized value () - found via fuzz_pkcs11 + - fixed with 21d869b77792b6f189eebf373e399747177d99e2 - [sc_pkcs15_read_file](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15.c#L2535) - incorrect checking of return value in jpki_select_file () - found via fuzz_pkcs15_encode + - fixed with efbc14ffa190e3e0ceecceb479024bb778b0ab68 Affected versions: all before 0.26.0 diff --git a/CVE-2024-45618.md b/CVE-2024-45618.md index 5508949..633bfe6 100644 --- a/CVE-2024-45618.md +++ b/CVE-2024-45618.md @@ -8,12 +8,15 @@ The uninitialized variables were reflected in the following functions: - strlen, called from [set_string](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L252) - no checking of return value in sc_pkcs15emu_tcos_init_ex () + - fixed with 8632ec172beda894581d67eaa991e519a7874f7d - [sc_build_pin](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sec.c#L281) - missing error handling in sc_pkcs15init_verify_secret () - found via fuzz_pkcs15init + - fixed with f9d68660f032ad4d7803431d5fc7577ea8792ac3 - DES_set_key_unchecked, called from [openssl_enc](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-epass2003.c#L295) - missing error handling in sc_pkcs15init_verify_secret () - found via fuzz_pkcs15init + - fixed with f9d68660f032ad4d7803431d5fc7577ea8792ac3 Affected versions: all before 0.26.0 diff --git a/CVE-2024-45619.md b/CVE-2024-45619.md index 9c6a974..8949860 100644 --- a/CVE-2024-45619.md +++ b/CVE-2024-45619.md @@ -9,23 +9,33 @@ The uninitialized variables were reflected in the following functions: - [insert_cert](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L70) - missing check for empty read file () - found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode, fuzz_pkcs15_encode + - fixed with + - f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d + - a1d8c01c1cabd115dda8c298941d1786fb4c5c2f - [asn1_encode_path](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L1219) - function insert_cert accessing buffer after filled length () - found via fuzz_pkcs15_encode + - fixed with + - f01bfbd19b9c8243a40f7f17d554fe0eb9e89d0d + - a1d8c01c1cabd115dda8c298941d1786fb4c5c2f - [gemsafe_get_cert_len](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-gemsafeV1.c#L252) - accessing uninit(), [iasecc_se_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L331) - missing checks for accessing data buffer ( and ) - found via fuzz_pkcs15init + - fixed with 673065630bf4aaf03c370fc791ef6a6239431214 - [setcos_generate_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L511) - missing check for data length () - found via fuzz_pkcs15init + - fixed with e20ca25204c9c5e36f53ae92ddf017cd17d07e31 - [sc_hsm_determine_free_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L144) - incorrect checking of file list length () - found via fuzz_pkcs15initialized part of buffer without checking actual buffer length () - found via fuzz_pkcs15_crypt, fuzz_pkcs15_decode + - fixed with 2b6cd52775b5448f6a993922a30c7a38d9626134 - [coolkey_rsa_op](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-coolkey.c#L1771) - missing check for length of buffer () - found via fuzz_pkcs15_reader + - fixed with dd554a2e1e31e6cb75c627c653652696d61e8de8 Affected versions: all before 0.26.0 diff --git a/CVE-2024-45620.md b/CVE-2024-45620.md index b077b12..6186eba 100644 --- a/CVE-2024-45620.md +++ b/CVE-2024-45620.md @@ -9,15 +9,21 @@ The uninitialized variables were reflected in the following functions: - [starcos_write_pukey](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-starcos.c#L683) - lack of checking file length () - found via fuzz_pkcs15init + - fixed with a1bcc6516f43d570899820d259b71c53f8049168 - [iasecc_sdo_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L763), [iasecc_se_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L331) - missing checks for accessing data buffer ( and ) - found via fuzz_pkcs15init + - fixed with + - 6baa19596598169d652659863470a60c5ed79ecd + - 468a314d76b26f724a551f2eb339dd17c856cf18 - [setcos_generate_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L511) - missing check for data length () - found via fuzz_pkcs15init + - fixed with e20ca25204c9c5e36f53ae92ddf017cd17d07e31 - [sc_hsm_determine_free_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L144) - incorrect checking of file list length () - found via fuzz_pkcs15init + - fixed with 2b6cd52775b5448f6a993922a30c7a38d9626134 Affected versions: all before 0.26.0