Buffer overflow

The problem seems to be also in the git repo from upstream Debian, git://git.debian.org/git/pkg-opensc/opensc.git . The attached patches are taken from opensc upstream (https://www.opensc-project.org/opensc/changeset/4912 and https://www.opensc-project.org/opensc/changeset/4913).

I've built a patched package for testing in https://launchpad.net/~tspindler/+archive/opensc-lvm

A first test of the patched package on a smartcard enabled system was successful.

FWIW, I think the compiler flags[1] will reduce this vulnerability from being exploitable to only being a denial of service, but additional study would be needed.

[1] https://wiki.ubuntu.com/CompilerFlags

This bug was fixed in the package opensc - 0.11.13-1ubuntu4

---------------
opensc (0.11.13-1ubuntu4) natty; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Tue, 21 Dec 2010 09:50:33 +0100

ACK

Thanks for your patches! These look great and I have uploaded them to the security PPA. When they finish building, I will push them to the archive.

Minor nit: with DEP-3 quilt patches you don't need the DEP-3 comments commented out with '##'. Eg, the following is preferred:
Description: Fix buffer overflow
Origin: upstream, https://www.opensc-project.org/opensc/changeset/4913
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483

Used submittodebian to open http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607732.

Torsten, thanks for the patches for the older releases. The karmic debdiff only has template text for the DEP-3 comments, and the hardy debdiff should have the DEP-3 info in the debian/changelog since there isn't a patch system.

Also, the hardy debdiff has 'jaunty' instead of 'hardy-security' and uses the wrong version for hardy. It should be 0.11.4-2ubuntu2.1. I'll fix these up in the interest of time.

Karmic also had the wrong version. In the future, please review https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging to make sure the debdiff is correct. Thanks again. :)

We can use even short URLs in DEP3:
instead https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483
I really preffer https://launchpad.net/bugs/692483

Regards and thanks for patch.
MOTU SWAT

Karmic also had the wrong version. In the future, please review https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging to make sure the debdiff is correct. Thanks again. :)

This bug was fixed in the package opensc - 0.11.13-1ubuntu2.1

---------------
opensc (0.11.13-1ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Mon, 20 Dec 2010 13:51:01 +0100

This bug was fixed in the package opensc - 0.11.12-1ubuntu3.2

---------------
opensc (0.11.12-1ubuntu3.2) lucid-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Mon, 20 Dec 2010 11:00:40 +0100

This bug was fixed in the package opensc - 0.11.8-1ubuntu2.1

---------------
opensc (0.11.8-1ubuntu2.1) karmic-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Tue, 21 Dec 2010 16:12:30 +0100

This bug was fixed in the package opensc - 0.11.4-2ubuntu2.1

---------------
opensc (0.11.4-2ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - Move MIN and MAX macros from muscle.c to internal.h
    - https://www.opensc-project.org/opensc/changeset/4912
    - Fix potential buffer overflow by rogue cards. (LP: #692483)
    - update card-acos5.c, card-atrust-acos.c and card-starcos.c to use
      MIN macros to protect against buffer overflow
    - https://www.opensc-project.org/opensc/changeset/4913
 -- Torsten Spindler (Canonical) <email address hidden> Tue, 21 Dec 2010 16:34:32 +0100

For the record, this is CVE-2010-4523 and it's being tracked in Debian bug #607427 (#607732 was a duplicate)

Thanks Jonathan! I caught the update today but missed the original bug.
Sorry about that.