Bug 34087 - opensc new security issues CVE-2024-8443, CVE-2024-4561[5-9] and CVE-2024-45620
Summary: opensc new security issues CVE-2024-8443, CVE-2024-4561[5-9] and CVE-2024-45620
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-03-12 14:50 CET by Nicolas Salguero
Modified: 2025-03-13 19:25 CET (History)
3 users (show)

See Also:
Source RPM: opensc-0.25.0-1.mga9.src.rpm
CVE: CVE-2024-8443, CVE-2024-45615, CVE-2024-45616, CVE-2024-45617, CVE-2024-45618, CVE-2024-45619, CVE-2024-45620
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-12 14:50:45 CET 
Ubuntu has issued an advisory on March 12:
https://ubuntu.com/security/notices/USN-7346-1

Those problems are fixed in version 0.26 so Cauldron is not affected.
Nicolas Salguero 2025-03-12 14:51:36 CET

CVE: (none) => CVE-2024-8443, CVE-2024-45615, CVE-2024-45616, CVE-2024-45617, CVE-2024-45618, CVE-2024-45619, CVE-2024-45620
Source RPM: (none) => opensc-0.25.0-1.mga9.src.rpm
Status comment: (none) => Patches available from Ubuntu

Comment 1 Nicolas Salguero 2025-03-12 15:06:56 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Heap buffer overflow in openpgp driver when generating key. (CVE-2024-8443)

Usage of uninitialized values in libopensc and pkcs15init. (CVE-2024-45615)

Uninitialized values after incorrect check or usage of apdu response values in libopensc. (CVE-2024-45616)

Uninitialized values after incorrect or missing checking return values of functions in libopensc. (CVE-2024-45617)

Uninitialized values after incorrect or missing checking return values of functions in pkcs15init. (CVE-2024-45618)

Incorrect handling length of buffers or files in libopensc. (CVE-2024-45619)

Incorrect handling of the length of buffers or files in pkcs15init. (CVE-2024-45620)

References:
https://ubuntu.com/security/notices/USN-7346-1
========================

Updated packages in core/updates_testing:
========================
lib(64)opensc11-0.25.0-1.1.mga9
lib(64)opensc-devel-0.25.0-1.1.mga9
lib(64)smm-local11-0.25.0-1.1.mga9
opensc-0.25.0-1.1.mga9

from SRPM:
opensc-0.25.0-1.1.mga9.src.rpm

Status comment: Patches available from Ubuntu => (none)
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

katnatek 2025-03-12 23:46:46 CET

Keywords: (none) => advisory

Comment 2 Herman Viaene 2025-03-13 11:41:52 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues, additionally installing belgian eid-middleware and dependencies

Using eidenv (from opensc):
$ eidenv
Using reader with a card: VASCO DIGIPASS 870 [CCID] 00 00
BELPIC_CARDNUMBER: .....
etc...
Using eid-viewer from belgian package: 
displays picture and info OK.
Good to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2025-03-13 18:53:34 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2025-03-13 19:25:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0096.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.