Bug 23447 - opensc new security issues fixed upstream in 0.19.0
Summary: opensc new security issues fixed upstream in 0.19.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-15 12:22 CEST by David Walser
Modified: 2019-01-08 22:51 CET (History)
5 users (show)

See Also:
Source RPM: opensc-0.18.0-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-15 12:22:51 CEST
An advisory has been issued on August 14:
http://openwall.com/lists/oss-security/2018/08/14/3

It's not clear if older versions are affected.
Comment 1 Marja Van Waes 2018-08-16 12:30:06 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 Sander Lepik 2018-09-12 12:14:54 CEST
0.19.0-rc1 submitted to cauldron, it should fix the issues. Older versions are probably also affected, but it's quite impossible to patch all those problems. For now I'll call this bug fixed until some more serious CVE is issued.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 3 David Walser 2018-09-16 18:44:25 CEST
Finally a lot more details and CVEs:
https://www.openwall.com/lists/oss-security/2018/09/13/2

Should be enough to justify updating it.

Resolution: FIXED => (none)
Version: Cauldron => 6
Status: RESOLVED => REOPENED

Comment 4 David Walser 2018-10-16 00:00:29 CEST
Fedora has issued an advisory for this on October 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FELOINZJEHXTJ757WSU4HYL5HWENARJH/

It also lists the CVEs.  (they also updated it for older Fedora versions)

Summary: opensc new security issue possibly fixed upstream in 0.19.0 => opensc new security issues fixed upstream in 0.19.0

Comment 5 Sander Lepik 2018-10-27 20:08:13 CEST
It seems that Fedora released update only for 28 and 29, thats from 0.17.0 to 0.19.0 (major5 -> major6). We have to upgrade from major3 -> major6 and quite a lot of packages depend on opensc-devel, which probably means they would have to be rebuilt too. I'm waiting to see what's Debian gonna do with older versions.
Comment 7 David Walser 2018-11-15 00:32:31 CET
openSUSE has issued advisories for this on November 10:
https://lists.opensuse.org/opensuse-updates/2018-11/msg00040.html
https://lists.opensuse.org/opensuse-updates/2018-11/msg00055.html
Comment 8 Sander Lepik 2019-01-04 20:30:59 CET
I have uploaded 0.19.0 to mga6 core/updates_testing.
Sander Lepik 2019-01-04 20:31:18 CET

Assignee: mageia => qa-bugs

Comment 9 David Walser 2019-01-05 12:48:59 CET
Advisory:
========================

Updated opensc packages fix security vulnerabilities:

Several buffer overflows when handling responses from a Muscle Card in
muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could
be used by attackers able to supply crafted smartcards to cause a denial of
service (application crash) or possibly have unspecified other impact
(CVE-2018-16391).

Several buffer overflows when handling responses from a TCOS Card in
tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be
used by attackers able to supply crafted smartcards to cause a denial of
service (application crash) or possibly have unspecified other impact
(CVE-2018-16392).

Several buffer overflows when handling responses from a Gemsafe V1 Smartcard
in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before
0.19.0-rc1 could be used by attackers able to supply crafted smartcards to
cause a denial of service (application crash) or possibly have unspecified
other impact (CVE-2018-16393).

A buffer overflow when handling string concatenation in util_acl_to_str in
tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to
supply crafted smartcards to cause a denial of service (application crash) or
possibly have unspecified other impact (CVE-2018-16418).

Several buffer overflows when handling responses from a Cryptoflex card in
read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could
be used by attackers able to supply crafted smartcards to cause a denial of
service (application crash) or possibly have unspecified other impact
(CVE-2018-16419).

Several buffer overflows when handling responses from an ePass 2003 Card in
decrypt_response in libopensc/card-epass2003.c in OpenSC before 0.19.0-rc1
could be used by attackers able to supply crafted smartcards to cause a denial
of service (application crash) or possibly have unspecified other impact
(CVE-2018-16420).

Several buffer overflows when handling responses from a CAC Card in
cac_get_serial_nr_from_CUID in libopensc/card-cac.c in OpenSC before
0.19.0-rc1 could be used by attackers able to supply crafted smartcards to
cause a denial of service (application crash) or possibly have unspecified
other impact (CVE-2018-16421).

A single byte buffer overflow when handling responses from an esteid Card in
sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before
0.19.0-rc1 could be used by attackers able to supply crafted smartcards to
cause a denial of service (application crash) or possibly have unspecified
other impact (CVE-2018-16422).

A double free when handling responses from a smartcard in sc_file_set_sec_attr
in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able
to supply crafted smartcards to cause a denial of service (application crash)
or possibly have unspecified other impact (CVE-2018-16423).

A double free when handling responses in read_file in tools/egk-tool.c (aka
the eGK card tool) in OpenSC before 0.19.0-rc1 could be used by attackers able
to supply crafted smartcards to cause a denial of service (application crash)
or possibly have unspecified other impact (CVE-2018-16424).

A double free when handling responses from an HSM Card in
sc_pkcs15emu_sc_hsm_init in libopensc/pkcs15-sc-hsm.c in OpenSC before
0.19.0-rc1 could be used by attackers able to supply crafted smartcards to
cause a denial of service (application crash) or possibly have unspecified
other impact (CVE-2018-16425).

Endless recursion when handling responses from an IAS-ECC card in
iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1
could be used by attackers able to supply crafted smartcards to hang or crash
the opensc library using programs (CVE-2018-16426).

Various out of bounds reads when handling responses in OpenSC before
0.19.0-rc1 could be used by attackers able to supply crafted smartcards to
potentially crash the opensc library using programs (CVE-2018-16427).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16418
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16419
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16420
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16421
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16422
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16425
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16427
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FELOINZJEHXTJ757WSU4HYL5HWENARJH/
========================

Updated packages in core/updates_testing:
========================
opensc-0.19.0-1.mga6
libopensc6-0.19.0-1.mga6
libsmm-local6-0.19.0-1.mga6
libopensc-devel-0.19.0-1.mga6

from opensc-0.19.0-1.mga6.src.rpm

CC: (none) => mageia

Comment 10 Herman Viaene 2019-01-07 13:36:44 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
At CLI:
# systemctl start pcscd
# systemctl -l status pcscd
● pcscd.service - PC/SC Smart Card Daemon
   Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: enabled)
   Active: active (running) since ma 2019-01-07 13:24:28 CET; 5s ago
 Main PID: 25345 (pcscd)
   CGroup: /system.slice/pcscd.service
           └─25345 /usr/sbin/pcscd --foreground --auto-exit

note: pcsc was already installed on this laptop.

then
inserting my eid card in my Vasco eid reader:
$ opensc-explorer 
OpenSC Explorer version 0.19.0
Using reader with a card: VASCO DIGIPASS 870 [CCID] 00 00

$ eidenv 
Using reader with a card: VASCO DIGIPASS 870 [CCID] 00 00
BELPIC_CARDNUMBER: xxxxx
BELPIC_CHIPNUMBER: yyyyyyyyyy
BELPIC_VALIDFROM: 24.02.2016
BELPIC_VALIDTILL: 24.02.2026
BELPIC_DELIVERINGMUNICIPALITY: Antwerpen
etc .....

Side remark: pcscd does not appear in MCC - System - Services before it was activated above, I think that's not normal, unless this laptop is so slow .....

Update OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 11 Lewis Smith 2019-01-07 18:30:27 CET
Thanks, Herman. Validating & advisoried.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 12 Mageia Robot 2019-01-08 22:51:34 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0019.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.