| Summary: | opensc new security issues CVE-2020-26570, CVE-2020-26571 and CVE-2020-26572 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | joequant, mageia, ouaurelien, sysadmin-bugs, yvesbrungard |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | opensc-0.20.0-1.mga7.src.rpm | CVE: | CVE-2020-26570, CVE-2020-26571, CVE-2020-26572 |
| Status comment: | |||
|
Description
David Walser
2020-11-24 22:17:41 CET
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) I added committers in CC. CC:
(none) =>
joequant, luigiwalser Updated package uploaded by Sander. opensc-0.21.0-1.mga7 libopensc7-0.21.0-1.mga7 libsmm-local7-0.21.0-1.mga7 libopensc-devel-0.21.0-1.mga7 from opensc-0.21.0-1.mga7.src.rpm CC:
luigiwalser =>
mageia Fedora has issued an advisory for this on December 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EXOHFDMNMO6IDECAGUTB3SJGAGXVRT6S/ Advisory: ======================== Updated opensc packages fix security vulnerabilities: The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file (CVE-2020-26570). The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init (CVE-2020-26571). The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher (CVE-2020-26572). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26570 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26572 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EXOHFDMNMO6IDECAGUTB3SJGAGXVRT6S/ LC_ALL=C urpmi --media "Core Updates Testing" opensc
To satisfy dependencies, the following packages are going to be installed:
Package Version Release Arch
(medium "Core Updates Testing")
lib64opensc7 0.21.0 1.mga7 x86_64
opensc 0.21.0 1.mga7 x86_64
2MB of additional disk space will be used.
1.1MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y
http://ftp.free.fr/mirrors/mageia.org/distrib/7/x86_64/media/core/updates_testing/opensc-0.21.0-1.mga7.x86_64.rpm
http://ftp.free.fr/mirrors/mageia.org/distrib/7/x86_64/media/core/updates_testing/lib64opensc7-0.21.0-1.mga7.x86_64.rpm
installing lib64opensc7-0.21.0-1.mga7.x86_64.rpm opensc-0.21.0-1.mga7.x86_64.rpm from /var/cache/urpmi/rpms
Preparing... #########################################################################################
1/2: lib64opensc7 #########################################################################################
2/2: opensc #########################################################################################
1/1: removing opensc-0.20.0-1.mga7.x86_64
#########################################################################################
[root@YZenbook Téléchargements]# LC_ALL=C systemctl restart pcscd.service
After that, the access to the site protected by the usage of the smartcard works as previoulsly from Firefox.CC:
(none) =>
yves.brungard_mageia
David Walser
2021-01-16 15:06:35 CET
Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory pushed to SVN. Keywords:
Triaged =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0037.html Resolution:
(none) =>
FIXED |