azurelinux-security · azurelinux-security · Apr 3, 2026
diff --git a/SPECS/opensc/CVE-2025-49010.patch b/SPECS/opensc/CVE-2025-49010.patch
@@ -0,0 +1,73 @@
+From 093ba6fe98c69cfd670e68aedc4bcbc2feb87675 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Thu, 22 May 2025 00:24:32 +0200
+Subject: [PATCH] fixed Stack-buffer-overflow WRITE in GET RESPONSE
+
+The do-while loop in apdu.c requires the output data to be set in any
+case, otherwise non existent data may be copied to the output data.
+
+fixes https://issues.oss-fuzz.com/issues/416351800
+fixes https://issues.oss-fuzz.com/issues/416295951
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/OpenSC/OpenSC/commit/953986f65db61871bbbff72788d861d67d5140c6.patch
+---
+ src/libopensc/card-nqApplet.c | 11 ++++++-----
+ src/libopensc/iso7816.c       |  5 +++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/libopensc/card-nqApplet.c b/src/libopensc/card-nqApplet.c
+index b197432..6d40238 100644
+--- a/src/libopensc/card-nqApplet.c
++++ b/src/libopensc/card-nqApplet.c
+@@ -190,9 +190,10 @@ static int nqapplet_finish(struct sc_card *card)
+ 	LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
+ }
+
+-static int nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp)
++static int
++nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp)
+ {
+-	struct sc_apdu apdu;
++	struct sc_apdu apdu = {0};
+ 	int rv;
+ 	size_t resplen;
+
+@@ -204,12 +205,12 @@ static int nqapplet_get_response(struct sc_card *card, size_t *cb_resp, u8 *resp
+
+ 	rv = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
+-	if (apdu.resplen == 0) {
+-		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+-	}
+
+ 	*cb_resp = apdu.resplen;
+
++	if (apdu.resplen == 0) {
++		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	}
+ 	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
+ 		rv = SC_SUCCESS;
+ 	} else if (apdu.sw1 == 0x61) {
+diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
+index 93b2707..89eba17 100644
+--- a/src/libopensc/iso7816.c
++++ b/src/libopensc/iso7816.c
+@@ -805,11 +805,12 @@ iso7816_get_response(struct sc_card *card, size_t *count, u8 *buf)
+
+ 	r = sc_transmit_apdu(card, &apdu);
+ 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
+-	if (apdu.resplen == 0)
+-		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+
+ 	*count = apdu.resplen;
+
++	if (apdu.resplen == 0) {
++		LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
++	}
+ 	if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
+ 		r = 0;					/* no more data to read */
+ 	else if (apdu.sw1 == 0x61)
+-- 
+2.45.4
+
diff --git a/SPECS/opensc/CVE-2025-66037.patch b/SPECS/opensc/CVE-2025-66037.patch
@@ -0,0 +1,35 @@
+From 480fe3d3e3833908a91f44ed16f81372d28fa37d Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 25 Nov 2025 15:58:02 +0100
+Subject: [PATCH] pkcs15: Avoid buffer overrun on invalid data
+
+Invalid data can contain zero-length buffer, which after copying
+was dereferenced without length check
+
+Credit: Aldo Ristori
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/OpenSC/OpenSC/commit/65fc211015cfcac27b10d0876054156c97225f50.patch
+---
+ src/libopensc/pkcs15-pubkey.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
+index bc5fa45..4ccb8ad 100644
+--- a/src/libopensc/pkcs15-pubkey.c
++++ b/src/libopensc/pkcs15-pubkey.c
+@@ -1327,6 +1327,10 @@ sc_pkcs15_pubkey_from_spki_fields(struct sc_context *ctx, struct sc_pkcs15_pubke
+ 	       "sc_pkcs15_pubkey_from_spki_fields() called: %p:%"SC_FORMAT_LEN_SIZE_T"u\n%s",
+ 	       buf, buflen, sc_dump_hex(buf, buflen));
+
++	if (buflen < 1) {
++		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "subjectPublicKeyInfo can not be empty");
++	}
++
+ 	tmp_buf = malloc(buflen);
+ 	if (!tmp_buf) {
+ 		r = SC_ERROR_OUT_OF_MEMORY;
+-- 
+2.45.4
+
diff --git a/SPECS/opensc/opensc.spec b/SPECS/opensc/opensc.spec
@@ -3,7 +3,7 @@
 Summary:        Smart card library and applications
 Name:           opensc
 Version:        0.23.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,6 +17,8 @@ Patch4:         CVE-2024-1454.patch
 Patch5:         CVE-2023-40660.patch
 Patch6:         CVE-2023-40661.patch
 Patch7:         CVE-2024-45619.patch
+Patch8:         CVE-2025-49010.patch
+Patch9:         CVE-2025-66037.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bash-completion
@@ -146,6 +148,9 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 %{_mandir}/man5/*
 
 %changelog
+* Fri Apr 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.23.0-6
+- Patch for CVE-2025-66037, CVE-2025-49010
+
 * Fri May 16 2025 Akhila Guruju <v-guakhila@microsoft.com> - 0.23.0-5
 - Patch CVE-2023-40661 and CVE-2024-45619