fix CVE-2021-34193

0002-Prevent_stack_buffer_overflow_when_empty_ACL_is_returned.patch

@@ -0,0 +1,26 @@
+From ae1cf0be90396fb6c0be95829bf0d3eecbd2fd1c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Feb 2021 11:22:54 +0100
+Subject: [PATCH] iasecc: Prevent stack buffer overflow when empty ACL is
+ returned
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800
+---
+ src/libopensc/card-iasecc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
+index 166bc307bc..0eec63363a 100644
+--- a/src/libopensc/card-iasecc.c
++++ b/src/libopensc/card-iasecc.c
+@@ -1251,7 +1251,7 @@ iasecc_process_fci(struct sc_card *card, struct sc_file *file,
+ 	else
+ 		acls = sc_asn1_find_tag(ctx, buf, buflen, IASECC_DOCP_TAG_ACLS_CONTACT, &taglen);
+ 
+-	if (!acls)   {
++	if (!acls || taglen < 7)   {
+ 		sc_log(ctx,
+ 		       "ACLs not found in data(%"SC_FORMAT_LEN_SIZE_T"u) %s",
+ 		       buflen, sc_dump_hex(buf, buflen));

opensc.spec

@@ -3,12 +3,13 @@
 
 Name:            opensc
 Version:         0.23.0
-Release:         2
+Release:         3
 License:         LGPL-2.1-or-later
 Summary:         Smart card library and applications
 URL:             https://github.com/OpenSC/OpenSC/wiki
 Source0:         https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch0:          0001-correct_left_length_calculation_to_fix_buffer.patch
+Patch1:          0002-Prevent_stack_buffer_overflow_when_empty_ACL_is_returned.patch
 
 BuildRequires:   openssl-devel pcsc-lite-devel bash-completion docbook-style-xsl readline-devel
 BuildRequires:   desktop-file-utils /usr/bin/xsltproc autoconf automake libtool gcc
@@ -139,6 +140,9 @@ make check
 %{_datadir}/opensc/
 
 %changelog
+* Wed Sep 6 2023 Zhengxin Guo <guozhengxin@kylinos.cn> - 0.23.0-3
+- fix CVE-2021-34193
+
 * Tue Sep 5 2023 Zhengxin Guo <guozhengxin@kylinos.cn> - 0.23.0-2
 - fix CVE-2023-2977