opensc: fix CVE-2024-45617

CVE-2024-45617:
A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK.
An attacker could use a crafted USB Device or Smart Card, which would present the system
with a specially crafted response to APDUs. Insufficient or missing checking of return
values of functions leads to unexpected work with variables that have not been initialized.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-45617]

Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
[https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
[https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-oe/recipes-support/opensc/files/CVE-2024-45617-0001.patch

@@ -0,0 +1,38 @@
+From fdb9e903eb124b6b18a5a9350a26eceb775585bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:05:36 +0200
+Subject: [PATCH]  cac: Check return value when selecting AID
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/14
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cac.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 4c3bc89bd..f910f64d3 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card, cac_private_data_t *priv, const u8 *ai
+ 	/* Call without OID set will just select the AID without subsequent
+ 	 * OID selection, which we need to figure out just now
+ 	 */
+-	cac_select_file_by_type(card, &new_object.path, NULL);
++	r = cac_select_file_by_type(card, &new_object.path, NULL);
++	LOG_TEST_RET(card->ctx, r, "Cannot select AID");
+ 	r = cac_get_properties(card, &prop);
+-	if (r < 0)
+-		return SC_ERROR_INTERNAL;
++	LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties");
+ 
+ 	for (i = 0; i < prop.num_objects; i++) {
+ 		/* don't fail just because we have more certs than we can support */
+--
+2.34.1

meta-oe/recipes-support/opensc/files/CVE-2024-45617-0002.patch

@@ -0,0 +1,33 @@
+From 21d869b77792b6f189eebf373e399747177d99e2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Tue, 16 Jul 2024 14:29:01 +0200
+Subject: [PATCH] cardos: Return error when response length is 0
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs11/18
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/fdb9e903eb124b6b18a5a9350a26eceb775585bc]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-cardos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 9906f6c72..6f10943a5 100644
+--- a/src/libopensc/card-cardos.c
++++ b/src/libopensc/card-cardos.c
+@@ -1278,7 +1278,7 @@ cardos_lifecycle_get(sc_card_t *card, int *mode)
+ 	LOG_TEST_RET(card->ctx, r, "Card returned error");
+ 
+ 	if (apdu.resplen < 1) {
+-		LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response");
++		LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response");
+ 	}
+ 
+ 	r = SC_SUCCESS;
+--
+2.34.1

meta-oe/recipes-support/opensc/files/CVE-2024-45617-0003.patch

@@ -0,0 +1,33 @@
+From efbc14ffa190e3e0ceecceb479024bb778b0ab68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
+Date: Wed, 17 Jul 2024 10:39:52 +0200
+Subject: [PATCH] card-jpki: Check number of read bytes
+
+Thanks Matteo Marini for report
+https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
+
+fuzz_pkcs15_encode/18
+
+CVE: CVE-2024-45617
+Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/efbc14ffa190e3e0ceecceb479024bb778b0ab68]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libopensc/card-jpki.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card-jpki.c b/src/libopensc/card-jpki.c
+index 6e4d0f3165..71339491d1 100644
+--- a/src/libopensc/card-jpki.c
++++ b/src/libopensc/card-jpki.c
+@@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card,
+ 		u8 buf[4];
+ 		rc = sc_read_binary(card, 0, buf, 4, 0);
+ 		LOG_TEST_RET(card->ctx, rc, "SW Check failed");
++		if (rc < 4)
++			LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short");
+ 		file = sc_file_new();
+ 		if (!file) {
+ 			LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
+--
+2.34.1

meta-oe/recipes-support/opensc/opensc_0.22.0.bb

@@ -41,6 +41,9 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
            file://CVE-2024-45616-0008.patch \
            file://CVE-2024-45616-0009.patch \
            file://CVE-2024-45616-0010.patch \
+           file://CVE-2024-45617-0001.patch \
+           file://CVE-2024-45617-0002.patch \
+           file://CVE-2024-45617-0003.patch \
           "
 
 # CVE-2021-34193 is a duplicate CVE covering the 5 individual