Debian-LTS has issued an advisory today (December 26): https://www.debian.org/lts/security/2019/dla-2046 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
OpenSC 0.20.0 has been released, fixing this issue and several others: https://www.openwall.com/lists/oss-security/2019/12/29/1
Status comment: (none) => Fixed upstream in 0.20.0Summary: opensc new security issue CVE-2019-19479 => opensc new security issues CVE-2019-6502, CVE-2019-1594[56], CVE-2019-19479, and CVE-2019-1948[01]
Updated packages uploaded for Mageia 7 and Cauldron by myself and Sander. opensc-0.20.0-1.mga7 libopensc6-0.20.0-1.mga7 libsmm-local6-0.20.0-1.mga7 libopensc-devel-0.20.0-1.mga7 from opensc-0.20.0-1.mga7.src.rpm Advisory to come later.
Version: Cauldron => 7Assignee: mageia => qa-bugsWhiteboard: MGA7TOO => (none)CC: (none) => mageia
Advisory: ======================== Updated opensc packages fix security vulnerabilities: sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory leak, as demonstrated by a call from eidenv (CVE-2019-6502). OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string in libopensc/asn1.c (CVE-2019-15945). OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry in libopensc/asn1.c (CVE-2019-15946). An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-setcos.c has an incorrect read operation during parsing of a SETCOS file attribute (CVE-2019-19479). An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/pkcs15-prkey.c has an incorrect free operation in sc_pkcs15_decode_prkdf_entry (CVE-2019-19480). An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-cac1.c mishandles buffer limits for CAC certificates (CVE-2019-19481). The opensc package has been updated to version 0.20.0, which has fixes for these issues and other improvements. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6502 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19479 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19480 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19481 https://github.com/OpenSC/OpenSC/releases/tag/0.20.0 https://www.openwall.com/lists/oss-security/2019/12/29/1
MGA7-64 Plasma on Lenovo B50 No installation issues. Installed pcsc-lite, pcsc-tools and beid-middleware for testing, ref bug 23447. # systemctl start pcscd # systemctl -l status pcscd ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: active (running) since Mon 2020-01-06 15:12:47 CET; 3s ago Docs: man:pcscd(8) Main PID: 25719 (pcscd) Memory: 1.2M CGroup: /system.slice/pcscd.service └─25719 /usr/sbin/pcscd --foreground --auto-exit jan 06 15:12:47 mach5.hviaene.thuis systemd[1]: Started PC/SC Smart Card Daemon. Inserting my eid card in my Vasco eid reader: $ opensc-explorer OpenSC Explorer version 0.20.0 Using reader with a card: VASCO DIGIPASS 870 [CCID] 00 00 OpenSC [3F00]> quit [tester7@mach5 Documenten]$ eidenv Using reader with a card: VASCO DIGIPASS 870 [CCID] 00 00 BELPIC_CARDNUMBER: XXXXXXX BELPIC_CHIPNUMBER: YYYYYYYYYYYYYYY BELPIC_VALIDFROM: 24.02.2016 BELPIC_VALIDTILL: 24.02.2026 and more All works OK
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0026.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2019-20792: https://access.redhat.com/errata/RHSA-2020:4483