A CVE has been assigned for a security issue fixed upstream in pcsc-lite: http://openwall.com/lists/oss-security/2017/01/03/3 The fix is included in 1.8.20, and the upstream commit to fix the issue is linked in the message above. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
URL: (none) => https://lwn.net/Vulnerabilities/710626/
I have uploaded a patched package for Mageia 5 and freeze push request is submitted for cauldron. I have no idea how to test it. Suggested advisory: ======================== Updated pcsc-lite packages fix security vulnerability: Once MSGRemoveContext is invoked (via SCARD_RELEASE_CONTEXT), cardsList is freed. A repeated invocation of SCARD_RELEASE_CONTEXT (with an empty context handle) results in a use-after-free followed by a double-free. After MSGRemoveContext, invocation of SCardEstablishContext enable further use-after-free of cardsList in MSGCheckHandleAssociation, MSGRemoveContext, MSGAddHandle, MSGRemoveHandle. To avoid this problem, destroy the list only when the client connection is terminated. References: http://openwall.com/lists/oss-security/2017/01/03/3 ======================== Updated packages in core/updates_testing: ======================== lib(64)pcsclite-devel-1.8.11-4.1.mga5 pcsc-lite-1.8.11-4.1.mga5 lib(64)pcscspy0-1.8.11-4.1.mga5 pcsc-spy-1.8.11-4.1.mga5 pcsc-lite-doc-1.8.11-4.1.mga5 lib(64)pcsclite1-1.8.11-4.1.mga5 Source RPMs: pcsc-lite-1.8.11-4.1.mga5.src.rpm
Assignee: mageia => qa-bugs
CC: (none) => mageiaVersion: Cauldron => 5Whiteboard: MGA5TOO => (none)
MGA5-32 on AcerD620 No installation issues Installed additionally beid-middleware from repos and eid-viewer from Belgian government site and the eid-viewer read and displayed my eid (electronic identity) card OK. Sidenote: I am the someone very gratefull who builds the beid-middleware rpm, and asks very humbly whether she/he could do the same for the eid-viewer.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
CC: (none) => lewyssmithWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
@Herman Thank you for your authentic test. Given the specialised nature of this update, and Herman's real-life OK, I am validating it.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0026.html
Status: NEW => RESOLVEDResolution: (none) => FIXED