Bug 27663 - opensc new security issues CVE-2020-26570, CVE-2020-26571 and CVE-2020-26572
Summary: opensc new security issues CVE-2020-26570, CVE-2020-26571 and CVE-2020-26572
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-24 22:17 CET by David Walser
Modified: 2021-01-17 17:08 CET (History)
5 users (show)

See Also:
Source RPM: opensc-0.20.0-1.mga7.src.rpm
CVE: CVE-2020-26570, CVE-2020-26571, CVE-2020-26572
Status comment:


Attachments

Description David Walser 2020-11-24 22:17:41 CET
OpenSC 0.21.0 has been released today (November 24), fixing security issues:
https://github.com/OpenSC/OpenSC/releases/tag/0.21.0
Comment 1 Aurelien Oudelet 2020-11-25 18:29:39 CET
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)
I added committers in CC.

CC: (none) => joequant, luigiwalser
Assignee: bugsquad => mageia
Keywords: (none) => Triaged

Comment 2 David Walser 2020-12-10 02:41:13 CET
Updated package uploaded by Sander.

opensc-0.21.0-1.mga7
libopensc7-0.21.0-1.mga7
libsmm-local7-0.21.0-1.mga7
libopensc-devel-0.21.0-1.mga7

from opensc-0.21.0-1.mga7.src.rpm

CC: luigiwalser => mageia
Assignee: mageia => qa-bugs

Comment 3 David Walser 2020-12-15 01:03:03 CET
Fedora has issued an advisory for this on December 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EXOHFDMNMO6IDECAGUTB3SJGAGXVRT6S/
Comment 4 David Walser 2020-12-15 01:32:27 CET
Advisory:
========================

Updated opensc packages fix security vulnerabilities:

The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a
heap-based buffer overflow in sc_oberthur_read_file (CVE-2020-26570).

The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a
stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init (CVE-2020-26571).

The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a
stack-based buffer overflow in tcos_decipher (CVE-2020-26572).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26572
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EXOHFDMNMO6IDECAGUTB3SJGAGXVRT6S/
Comment 5 papoteur 2021-01-16 10:34:51 CET
LC_ALL=C urpmi --media "Core Updates Testing" opensc
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  lib64opensc7                   0.21.0       1.mga7        x86_64  
  opensc                         0.21.0       1.mga7        x86_64  
2MB of additional disk space will be used.
1.1MB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    http://ftp.free.fr/mirrors/mageia.org/distrib/7/x86_64/media/core/updates_testing/opensc-0.21.0-1.mga7.x86_64.rpm
    http://ftp.free.fr/mirrors/mageia.org/distrib/7/x86_64/media/core/updates_testing/lib64opensc7-0.21.0-1.mga7.x86_64.rpm
installing lib64opensc7-0.21.0-1.mga7.x86_64.rpm opensc-0.21.0-1.mga7.x86_64.rpm from /var/cache/urpmi/rpms                
Preparing...                     #########################################################################################
      1/2: lib64opensc7          #########################################################################################
      2/2: opensc                #########################################################################################
      1/1: removing opensc-0.20.0-1.mga7.x86_64
                                 #########################################################################################   
[root@YZenbook Téléchargements]# LC_ALL=C systemctl restart pcscd.service

After that, the access to the site protected by the usage of the smartcard works as previoulsly from Firefox.

CC: (none) => yves.brungard_mageia

David Walser 2021-01-16 15:06:35 CET

Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2021-01-17 15:54:13 CET
Validating.
Advisory pushed to SVN.

Keywords: Triaged => advisory, validated_update
CVE: (none) => CVE-2020-26570, CVE-2020-26571, CVE-2020-26572
CC: (none) => ouaurelien, sysadmin-bugs

Comment 7 Mageia Robot 2021-01-17 17:08:31 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0037.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.