[AutoPR- Security] Patch opensc for CVE-2026-10275 [LOW] (microsoft#17750)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: kgodara912 <kshigodara@outlook.com>

Author: 3 people

SPECS/opensc/CVE-2026-10275.patch

@@ -0,0 +1,40 @@
+From 85f3528adc97367ff43871aa245cafd16376ba36 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Mon, 11 May 2026 11:00:28 +0200
+Subject: [PATCH] pkcs11-tool: prevent buffer overflow
+
+Reported by @HMF2021 hippofu999
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/OpenSC/OpenSC/commit/814f745b3b6d100295f65f1935edd33d520d33ab.patch
+---
+ src/tools/pkcs11-tool.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index a5f63d9..28e3a03 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -1342,6 +1342,8 @@ int main(int argc, char * argv[])
+ 		}
+ 		if (opt_uri->id) {
+ 			opt_object_id_len = opt_uri->id_len;
++			if (opt_object_id_len > sizeof(opt_object_id))
++				util_fatal("URI's object ID too long");
+ 			memcpy(opt_object_id, opt_uri->id, opt_object_id_len);
+ 		}
+ 	}
+@@ -9617,6 +9619,10 @@ static CK_SESSION_HANDLE test_kpgen_certwrite(CK_SLOT_ID slot, CK_SESSION_HANDLE
+ 		return session;
+ 	}
+ 	opt_object_id_len = (size_t) i;
++	if (opt_object_id_len > sizeof(opt_object_id)) {
++		fprintf(stderr, "ERR: object ID too long\n");
++		return session;
++	}
+ 	memcpy(opt_object_id, tmp, opt_object_id_len);
+ 
+ 	/* This is done in NSS */
+-- 
+2.45.4
+

SPECS/opensc/opensc.spec

@@ -1,6 +1,6 @@
 Name:           opensc
 Version:        0.27.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Smart card library and applications
 
 License:        LGPL-2.1-or-later AND BSD-3-Clause
@@ -9,9 +9,10 @@ Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        opensc.module
-Patch1:         opensc-0.19.0-pinpad.patch
+Patch0:         opensc-0.19.0-pinpad.patch
 # File caching by default (#2000626)
-Patch8:         %{name}-0.22.0-file-cache.patch
+Patch1:         %{name}-0.22.0-file-cache.patch
+Patch2:         CVE-2026-10275.patch
 
 BuildRequires:  make
 BuildRequires:  pcsc-lite-devel
@@ -48,9 +49,7 @@ every software/card that does so, too.
 
 
 %prep
-%setup -q
-%patch 1 -p1 -b .pinpad
-%patch 8 -p1 -b .file-cache
+%autosetup -p1
 
 # The test-pkcs11-tool-allowed-mechanisms already works in Fedora
 sed -i -e '/XFAIL_TESTS/,$ {
@@ -204,6 +203,9 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 
 
 %changelog
+* Wed Jun 17 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.27.1-2
+- Patch for CVE-2026-10275
+
 * Tue Mar 31 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.27.1-1
 - Auto-upgrade to 0.27.1 - for CVE-2025-13763, CVE-2025-49010, CVE-2025-66215, CVE-2025-66038, CVE-2025-66037