microsoft · azurelinux-security · Apr 3, 2026
@@ -0,0 +1,73 @@
+From e792df5c1e1a794741bb7a4b6beca477ddf8e83b Mon Sep 17 00:00:00 2001
+From: Frank Morgner <[email protected]>
+Date: Thu, 22 May 2025 00:24:32 +0200
+Subject: [PATCH] fixed Stack-buffer-overflow WRITE in GET RESPONSE
+
+The do-while loop in apdu.c requires the output data to be set in any
+case, otherwise non existent data may be copied to the output data.
+
+fixes https://issues.oss-fuzz.com/issues/416351800
+fixes https://issues.oss-fuzz.com/issues/416295951
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/OpenSC/OpenSC/commit/953986f65db61871bbbff72788d861d67d5140c6.patch
+---
+ src/libopensc/card-nqApplet.c | 11 ++++++-----
+ src/libopensc/iso7816.c       |  5 +++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/libopensc/card-nqApplet.c b/src/libopensc/card-nqApplet.c
+index b197432..6d40238 100644
+--- a/src/libopensc/card-nqApplet.c
++++ b/src/libopensc/card-nqApplet.c
+@@ -190,9 +190,10 @@ static int nqapplet_finish(struct sc_card *card)
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+
+-static int nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp)
++static int
++nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp)
+ {
+-	struct sc_apdu apdu;
++	struct sc_apdu apdu = {0};
+ 	int rv;
+ 	size_t resplen;
+
+@@ -204,12 +205,12 @@ static int nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp
+
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+-	if (apdu.resplen == 0) {
+-		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+-	}
+
+ 	*cb_resp = apdu.resplen;
+
++	if (apdu.resplen == 0) {
++		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	}
+ 	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
+ 		rv = SC_SUCCESS;
+ 	} else if (apdu.sw1 == 0x61) {
+diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
+index 93b2707..89eba17 100644
+--- a/src/libopensc/iso7816.c
++++ b/src/libopensc/iso7816.c
+@@ -805,11 +805,12 @@ iso7816_get_response(struct sc_card *card, size_t *count, u8 *buf)
+
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+-	if (apdu.resplen == 0)
+-		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+
+ 	*count = apdu.resplen;
+
++	if (apdu.resplen == 0) {
++		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	}
+ 	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
+ 		r = 0;					/* no more data to read */
+ 	else if (apdu.sw1 == 0x61)
+-- 
+2.45.4
+
@@ -0,0 +1,35 @@
+From 2b87a8d6c6164799b21a9dc014359346d39180b1 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <[email protected]>
+Date: Tue, 25 Nov 2025 15:58:02 +0100
+Subject: [PATCH] pkcs15: Avoid buffer overrun on invalid data
+
+Invalid data can contain zero-length buffer, which after copying
+was dereferenced without length check
+
+Credit: Aldo Ristori
+
+Signed-off-by: Jakub Jelen <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/OpenSC/OpenSC/commit/65fc211015cfcac27b10d0876054156c97225f50.patch
+---
+ src/libopensc/pkcs15-pubkey.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index bc5fa45..4ccb8ad 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -1327,6 +1327,10 @@ sc_pkcs15_pubkey_from_spki_fields(struct sc_context *ctx, struct sc_pkcs15_pubke
+ 	       "sc_pkcs15_pubkey_from_spki_fields() called: %p:%"SC_FORMAT_LEN_SIZE_T"u\n%s",
+ 	       buf, buflen, sc_dump_hex(buf, buflen));
+
++	if (buflen < 1) {
++		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "subjectPublicKeyInfo can not be empty");
++	}
++
+ 	tmp_buf = malloc(buflen);
+ 	if (!tmp_buf) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
+-- 
+2.45.4
+
@@ -0,0 +1,119 @@
+From e064e2123752613a95bff50defd27a59ad562325 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Fri, 3 Apr 2026 14:27:41 +0000
+Subject: [PATCH] Backport patches: fix stack buffer overflow by using
+ SC_MAX_APDU_BUFFER_SIZE for resplen, cap le to MIN and SC_MAX_APDU_RESP_SIZE,
+ switch magic 256 to SC_MAX_APDU_RESP_SIZE, use MIN macro, adjust response
+ buffer sizes to SC_MAX_APDU_RESP_SIZE, and formatting updates per upstream
+ patch.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/OpenSC/OpenSC/pull/3436.patch
+---
+ src/libopensc/card-oberthur.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
+index 1fc40f7..4f3aa84 100644
+--- a/src/libopensc/card-oberthur.c
++++ b/src/libopensc/card-oberthur.c
+@@ -228,7 +228,7 @@ auth_init(struct sc_card *card)
+ 	card->caps |= SC_CARD_CAP_RNG;
+ 	card->caps |= SC_CARD_CAP_USE_FCI_AC;
+
+-	if (auth_select_aid(card))   {
++	if (auth_select_aid(card)) {
+ 		sc_log(card->ctx, "Failed to initialize %s", card->name);
+ 		rv = SC_ERROR_INVALID_CARD;
+ 		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_CARD, "Failed to initialize");
+@@ -259,7 +259,7 @@ static void
+ add_acl_entry(struct sc_card *card, struct sc_file *file, unsigned int op,
+ 		unsigned char acl_byte)
+ {
+-	if ((acl_byte & 0xE0) == 0x60)   {
++	if ((acl_byte & 0xE0) == 0x60) {
+ 		sc_log(card->ctx, "called; op 0x%X; SC_AC_PRO; ref 0x%X", op, acl_byte);
+ 		sc_file_add_acl_entry(file, op, SC_AC_PRO, acl_byte);
+ 		return;
+@@ -590,10 +590,10 @@ auth_list_files(struct sc_card *card, unsigned char *buf, size_t buflen)
+ 	if (apdu.resplen == 0x100 && rbuf[0]==0 && rbuf[1]==0)
+ 		LOG_FUNC_RETURN(card->ctx, 0);
+
+-	buflen = buflen < apdu.resplen ? buflen : apdu.resplen;
++	buflen = MIN(buflen, apdu.resplen);
+ 	memcpy(buf, rbuf, buflen);
+
+-	LOG_FUNC_RETURN(card->ctx, buflen);
++	LOG_FUNC_RETURN(card->ctx, (int)buflen);
+ }
+
+
+@@ -1115,9 +1115,9 @@ auth_compute_signature(struct sc_card *card, const unsigned char *in, size_t ile
+ 	apdu.datalen = ilen;
+ 	apdu.data = in;
+ 	apdu.lc = ilen;
+-	apdu.le = olen > 256 ? 256 : olen;
++	apdu.le = MIN(olen, SC_MAX_APDU_RESP_SIZE);
+ 	apdu.resp = resp;
+-	apdu.resplen = olen;
++	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+@@ -1161,14 +1161,14 @@ auth_decipher(struct sc_card *card, const unsigned char *in, size_t inlen,
+ 	}
+
+ 	_inlen = inlen;
+-	if (_inlen == 256)   {
++	if (_inlen == SC_MAX_APDU_RESP_SIZE)   {
+ 		apdu.cla |= 0x10;
+ 		apdu.data = in;
+ 		apdu.datalen = 8;
+ 		apdu.resp = resp;
+ 		apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 		apdu.lc = 8;
+-		apdu.le = 256;
++		apdu.le = SC_MAX_APDU_RESP_SIZE;
+
+ 		rv = sc_transmit_apdu(card, &apdu);
+ 		sc_log(card->ctx, "rv %i", rv);
+@@ -1477,7 +1477,7 @@ auth_read_component(struct sc_card *card, enum SC_CARDCTL_OBERTHUR_KEY_TYPE type
+ {
+ 	struct sc_apdu apdu;
+ 	int rv;
+-	unsigned char resp[256];
++	unsigned char resp[SC_MAX_APDU_RESP_SIZE];
+
+ 	LOG_FUNC_CALLED(card->ctx);
+ 	sc_log(card->ctx, "num %i, outlen %"SC_FORMAT_LEN_SIZE_T"u, type %i",
+@@ -2129,7 +2129,7 @@ auth_read_binary(struct sc_card *card, unsigned int offset,
+ 	if (auth_current_ef->magic==SC_FILE_MAGIC &&
+ 			auth_current_ef->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC)   {
+ 		int jj;
+-		unsigned char resp[256];
++		unsigned char resp[SC_MAX_APDU_RESP_SIZE];
+ 		size_t resp_len, out_len;
+ 		struct sc_pkcs15_pubkey_rsa key;
+
+@@ -2214,14 +2214,16 @@ auth_read_record(struct sc_card *card, unsigned int nr_rec,
+ 	if (flags & SC_RECORD_BY_REC_NR)
+ 		apdu.p2 |= 0x04;
+
+-	apdu.le = count;
+-	apdu.resplen = count;
++	apdu.le = MIN(count, SC_MAX_APDU_BUFFER_SIZE);
++	apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
+ 	apdu.resp = recvbuf;
+
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+ 	if (apdu.resplen == 0)
+ 		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	if (count < apdu.resplen)
++		LOG_FUNC_RETURN(card->ctx, SC_ERROR_WRONG_LENGTH);
+ 	memcpy(buf, recvbuf, apdu.resplen);
+
+ 	rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
+-- 
+2.45.4
+
@@ -3,7 +3,7 @@
 Summary:        Smart card library and applications
 Name:           opensc
 Version:        0.23.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,6 +17,9 @@ Patch4:         CVE-2024-1454.patch
 Patch5:         CVE-2023-40660.patch
 Patch6:         CVE-2023-40661.patch
 Patch7:         CVE-2024-45619.patch
+Patch8:         CVE-2025-49010.patch
+Patch9:         CVE-2025-66037.patch
+Patch10:        CVE-2025-66215.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bash-completion
@@ -146,6 +149,9 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 %{_mandir}/man5/*
 
 %changelog
+* Fri Apr 03 2026 Azure Linux Security Servicing Account <[email protected]> - 0.23.0-6
+- Patch for CVE-2025-66215, CVE-2025-66037, CVE-2025-49010
+
 * Fri May 16 2025 Akhila Guruju <[email protected]> - 0.23.0-5
 - Patch CVE-2023-40661 and CVE-2024-45619