Debian Bug report logs -
#607781
pcsc-lite: buffer overflow
Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Wed, 22 Dec 2010 04:12:05 UTC
Severity: important
Tags: fixed-upstream, security
Found in versions 1.4.102-1+lenny3, 1.4.102-1
Fixed in versions pcsc-lite/1.5.5-4, pcsc-lite/1.4.102-1+lenny4
Done: Steve Kemp <skx@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607781; Package pcsc-lite.
(Wed, 22 Dec 2010 04:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Wed, 22 Dec 2010 04:12:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: pcsc-lite
version: 1.4.102-1+lenny3
severity: serious
tags: security
an advisory has been issued for pcsc-lite:
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
i have checked that the vulnerable code is present in both lenny and
sid.
mike
Bug Marked as found in versions 1.4.102-1.
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org.
(Wed, 22 Dec 2010 15:09:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607781; Package pcsc-lite.
(Wed, 22 Dec 2010 18:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to 607781@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Wed, 22 Dec 2010 18:12:05 GMT) (full text, mbox, link).
Message #12 received at 607781@bugs.debian.org (full text, mbox, reply):
severity 607781 important
tags 607781 fixed-upstream
thank
Le 22/12/2010 00:10, Michael Gilbert a écrit :
> package: pcsc-lite
> version: 1.4.102-1+lenny3
> severity: serious
> tags: security
>
> an advisory has been issued for pcsc-lite:
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
>
> i have checked that the vulnerable code is present in both lenny and
> sid.
The problem has been fixed upstream in version pcsc-lite 1.6.5.
pcsc-lite 1.6.6 is available in experimental ans will be uploaded to sid
after squeeze is out.
The attacker needs to have a physical access to the computer and a
specially crafter smart card. I don't plan to fix the problem in squeeze
(so lowering the severity).
Thanks
--
Ludovic
Severity set to 'important' from 'serious'
Request was from Ludovic Rousseau <ludovic.rousseau@gmail.com>
to control@bugs.debian.org.
(Wed, 22 Dec 2010 18:12:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Ludovic Rousseau <ludovic.rousseau@gmail.com>
to control@bugs.debian.org.
(Wed, 22 Dec 2010 18:12:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607781; Package pcsc-lite.
(Wed, 22 Dec 2010 19:45:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Ludovic Rousseau <ludovic.rousseau@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Wed, 22 Dec 2010 19:45:14 GMT) (full text, mbox, link).
Message #21 received at 607781@bugs.debian.org (full text, mbox, reply):
Le 22/12/2010 00:10, Michael Gilbert a écrit :
> an advisory has been issued for pcsc-lite:
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
CVE request
http://www.openwall.com/lists/oss-security/2010/12/22/7
Date: Wed, 22 Dec 2010 13:55:08 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
Robert Relyea <rrelyea@...hat.com>
Subject: CVE Request -- 1, ccid -- int.overflow leading to array index error
2, pcsc-lite stack-based buffer overflow in ATR decoder [was:
CVE request: opensc buffer overflow ]
Hello Josh, Steve, vendors,
Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws
related with smart cards:
II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR)
decoder
Description:
A stack-based buffer overflow flaw was found in the way
PC/SC Lite smart card framework decoded certain attribute
values of the Answer-to-Reset (ATR) message, received back
from the card after connecting. A local attacker could
use this flaw to execute arbitrary code with the privileges
of the user running the pcscd daemon, via a malicious smart
card inserted to the system USB port.
References:
[1]
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781
[3] http://www.vupen.com/english/advisories/2010/3264
[4] https://bugzilla.redhat.com/show_bug.cgi?id=664999
Upstream changeset:
[5]
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html
Could you allocate CVE ids for these two too?
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
--
Dr. Ludovic Rousseau
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607781; Package pcsc-lite.
(Thu, 23 Dec 2010 17:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Thu, 23 Dec 2010 17:18:05 GMT) (full text, mbox, link).
Message #26 received at 607781@bugs.debian.org (full text, mbox, reply):
On Wed, 22 Dec 2010 18:51:33 +0100, Ludovic Rousseau wrote:
> To trigger the bug the attacker needs to connect a serial reader to the
> host. And then needs to have a physical access to the computer.
>
> To enable the serial reader the attacker needs to edit the file
> /etc/reader.conf and configure the use of the connected serial reader.
> So the attacker must have root access to trigger the buffer overflow.
An administrator making use of a serial card reader is likely to have
done this prior to the attacker having access to the reader.
> I downgrade the severity to important. I don't think I will fix the bug
> for squeeze.
I don't want to blow things out of proportion, but these bugs
completely violate the security model that is intended by card readers.
So even though the exploit is difficult and requires local access, it is
a real issue and really needs to be fixed.
I don't want to play bts ping pong, but this really should be fixed for
squeeze (making it RC). I suggest re-raising severity, and I will apply
the patches myself (since they're rather modest) if you aren't willing
to do so yourself. I'll also do an SPU for lenny.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607781; Package pcsc-lite.
(Fri, 24 Dec 2010 10:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to 607781@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Fri, 24 Dec 2010 10:06:03 GMT) (full text, mbox, link).
Message #31 received at 607781@bugs.debian.org (full text, mbox, reply):
Le 22/12/2010 19:00, Ludovic Rousseau a écrit :
> Le 22/12/2010 00:10, Michael Gilbert a écrit :
>> package: pcsc-lite
>> version: 1.4.102-1+lenny3
>> severity: serious
>> tags: security
>>
>> an advisory has been issued for pcsc-lite:
>> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
>>
>>
>> i have checked that the vulnerable code is present in both lenny and
>> sid.
>
> The problem has been fixed upstream in version pcsc-lite 1.6.5.
> pcsc-lite 1.6.6 is available in experimental ans will be uploaded to sid
> after squeeze is out.
>
> The attacker needs to have a physical access to the computer and a
> specially crafter smart card. I don't plan to fix the problem in squeeze
> (so lowering the severity).
Michael, go for the RC severity and NMU. I can't do the upload now myself.
The upstream corrective patche is in SVN revision 5370.
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html
Thanks
--
Dr. Ludovic Rousseau
Information forwarded
to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607781; Package pcsc-lite.
(Wed, 19 Jan 2011 16:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to 607781@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>.
(Wed, 19 Jan 2011 16:39:03 GMT) (full text, mbox, link).
Message #36 received at 607781@bugs.debian.org (full text, mbox, reply):
Le 22/12/10 20:42, Ludovic Rousseau a écrit :
> Le 22/12/2010 00:10, Michael Gilbert a écrit :
>> an advisory has been issued for pcsc-lite:
>> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
>>
>
> CVE request
> http://www.openwall.com/lists/oss-security/2010/12/22/7
This security issue got number CVE-2010-4531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4531
I will try to provide an update for pcsc-lite 1.4.102-1+lenny3 present
in lenny/stable.
--
Dr. Ludovic Rousseau
Reply sent
to Ludovic Rousseau <rousseau@debian.org>:
You have taken responsibility.
(Sat, 22 Jan 2011 11:21:15 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Sat, 22 Jan 2011 11:21:15 GMT) (full text, mbox, link).
Message #41 received at 607781-close@bugs.debian.org (full text, mbox, reply):
Source: pcsc-lite
Source-Version: 1.5.5-4
We believe that the bug you reported is fixed in the latest version of
pcsc-lite, which is due to be installed in the Debian FTP archive:
libpcsclite-dev_1.5.5-4_amd64.deb
to main/p/pcsc-lite/libpcsclite-dev_1.5.5-4_amd64.deb
libpcsclite1_1.5.5-4_amd64.deb
to main/p/pcsc-lite/libpcsclite1_1.5.5-4_amd64.deb
pcsc-lite_1.5.5-4.diff.gz
to main/p/pcsc-lite/pcsc-lite_1.5.5-4.diff.gz
pcsc-lite_1.5.5-4.dsc
to main/p/pcsc-lite/pcsc-lite_1.5.5-4.dsc
pcscd_1.5.5-4_amd64.deb
to main/p/pcsc-lite/pcscd_1.5.5-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 607781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Rousseau <rousseau@debian.org> (supplier of updated pcsc-lite package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 22 Jan 2011 11:57:15 +0100
Source: pcsc-lite
Binary: pcscd libpcsclite-dev libpcsclite1
Architecture: source amd64
Version: 1.5.5-4
Distribution: unstable
Urgency: high
Maintainer: Ludovic Rousseau <rousseau@debian.org>
Changed-By: Ludovic Rousseau <rousseau@debian.org>
Description:
libpcsclite-dev - Middleware to access a smart card using PC/SC (development files)
libpcsclite1 - Middleware to access a smart card using PC/SC (library)
pcscd - Middleware to access a smart card using PC/SC (daemon side)
Closes: 607781
Changes:
pcsc-lite (1.5.5-4) unstable; urgency=high
.
* Fix CVE-2010-4531: buffer overflow in the ATRDecodeAtr function in the
Answer-to-Reset (ATR) Handler (atrhandler.c)
* Closes: #607781 "pcsc-lite: buffer overflow"
Checksums-Sha1:
bf5d71d056fdc00b5b7466195be283c60d534276 1227 pcsc-lite_1.5.5-4.dsc
51088cb8d0bf4cb8c26afe26a58681a8fc3485f6 14478 pcsc-lite_1.5.5-4.diff.gz
bc070f61397aabcd1a1fe08eb5db4577b20d39f2 84356 pcscd_1.5.5-4_amd64.deb
57cd24cb46e8c176f9496bebe63c741984d3f94a 65932 libpcsclite-dev_1.5.5-4_amd64.deb
f49baa445ecd3512093b0385dc5ff01bf5a06b30 48432 libpcsclite1_1.5.5-4_amd64.deb
Checksums-Sha256:
a2936e5d6e11e1701ab93cdef2c98098ae9f40eff68b273217c30f792a4f9f3c 1227 pcsc-lite_1.5.5-4.dsc
80d9bad8f463e6ebb52d99f2bf38685f5e5c6e3ab93c77118d28eab5e37d923a 14478 pcsc-lite_1.5.5-4.diff.gz
ed090050049440f53cdb4ef52b3aeb65327e012538465955821960b2baa2c854 84356 pcscd_1.5.5-4_amd64.deb
0bb1156ce945ccae03ba20848ebdf69362cb314fa20b845510e3bad144adbb17 65932 libpcsclite-dev_1.5.5-4_amd64.deb
82a6dd4d6e7cdb712b911b872bb5a6a56cece14fa6d47fb0d1f6db93d3925e3f 48432 libpcsclite1_1.5.5-4_amd64.deb
Files:
95ee2c6321c0e28d496a19edf8a585e3 1227 misc extra pcsc-lite_1.5.5-4.dsc
c39cc5c1929c03477abc69c45b385e9e 14478 misc extra pcsc-lite_1.5.5-4.diff.gz
d0a71cdda75a66a9aee5a3ebab9990a6 84356 misc extra pcscd_1.5.5-4_amd64.deb
51e6135e2250b7a7923636912c3d0f09 65932 libdevel optional libpcsclite-dev_1.5.5-4_amd64.deb
394fe50bf6240be2a7c78834f4763aeb 48432 libs optional libpcsclite1_1.5.5-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk06uQ0ACgkQP0qKj+B/HPlrIQCeMKQmd1zW7DmgkW/8nR+0mz4Q
DRYAn3Om+Xy7reVRjlGCGf+Y77dRzjLt
=iPw1
-----END PGP SIGNATURE-----
Reply sent
to Steve Kemp <skx@debian.org>:
You have taken responsibility.
(Thu, 03 Feb 2011 01:58:36 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer.
(Thu, 03 Feb 2011 01:58:37 GMT) (full text, mbox, link).
Message #46 received at 607781-close@bugs.debian.org (full text, mbox, reply):
Source: pcsc-lite
Source-Version: 1.4.102-1+lenny4
We believe that the bug you reported is fixed in the latest version of
pcsc-lite, which is due to be installed in the Debian FTP archive:
libpcsclite-dev_1.4.102-1+lenny4_i386.deb
to main/p/pcsc-lite/libpcsclite-dev_1.4.102-1+lenny4_i386.deb
libpcsclite1_1.4.102-1+lenny4_i386.deb
to main/p/pcsc-lite/libpcsclite1_1.4.102-1+lenny4_i386.deb
pcsc-lite_1.4.102-1+lenny4.diff.gz
to main/p/pcsc-lite/pcsc-lite_1.4.102-1+lenny4.diff.gz
pcsc-lite_1.4.102-1+lenny4.dsc
to main/p/pcsc-lite/pcsc-lite_1.4.102-1+lenny4.dsc
pcscd_1.4.102-1+lenny4_i386.deb
to main/p/pcsc-lite/pcscd_1.4.102-1+lenny4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 607781@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Kemp <skx@debian.org> (supplier of updated pcsc-lite package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 22 Jan 2011 17:18:19 +0000
Source: pcsc-lite
Binary: pcscd libpcsclite-dev libpcsclite1
Architecture: source i386
Version: 1.4.102-1+lenny4
Distribution: stable-security
Urgency: high
Maintainer: Ludovic Rousseau <rousseau@debian.org>
Changed-By: Steve Kemp <skx@debian.org>
Description:
libpcsclite-dev - Middleware to access a smart card using PC/SC (development files)
libpcsclite1 - Middleware to access a smart card using PC/SC (library)
pcscd - Middleware to access a smart card using PC/SC (daemon side)
Closes: 607781
Changes:
pcsc-lite (1.4.102-1+lenny4) stable-security; urgency=high
.
* Fix CVE-2010-4531: buffer overflow in the ATRDecodeAtr
function in the Answer-to-Reset (ATR) Handler (atrhandler.c)
* Closes: #607781 "pcsc-lite: buffer overflow"
Checksums-Sha1:
e121272ce3d55a63f7ed016ad4685bfd4ed8ce5b 1269 pcsc-lite_1.4.102-1+lenny4.dsc
2218c2cc164eb8cb4291439b2262afe93ddf22f3 643165 pcsc-lite_1.4.102.orig.tar.gz
ccdd9a2b2c96dd769aed0b446ba12196a980e6e2 14048 pcsc-lite_1.4.102-1+lenny4.diff.gz
3d6143b3943cd6fe1c493add6310ac92801d995f 73472 pcscd_1.4.102-1+lenny4_i386.deb
89937f09fc1ae32f06725015057faf7f25581315 55940 libpcsclite-dev_1.4.102-1+lenny4_i386.deb
e5aba9bad9642dbdc564b8ff3a4a1216653a81f7 42218 libpcsclite1_1.4.102-1+lenny4_i386.deb
Checksums-Sha256:
19adc006593d2bd2c4d03b316a1946c0d085a0c07b309cd51e124cb97790ecc6 1269 pcsc-lite_1.4.102-1+lenny4.dsc
4f9ed23bf9492a6eb24bafda4889ba27ae63eb4242b5da6643309a7f6a499bcf 643165 pcsc-lite_1.4.102.orig.tar.gz
017f66c9b39903dc96b147ce54ca6135f587a6197ad61f808bd203f2e437cd84 14048 pcsc-lite_1.4.102-1+lenny4.diff.gz
9b6297d4f3a0cd81d155b37105fb708c3bf261f2ecbc49196bf92c3d26e2f8f1 73472 pcscd_1.4.102-1+lenny4_i386.deb
1dc160e260d68037560d435947346e034049b415545e51071d0486487feedda0 55940 libpcsclite-dev_1.4.102-1+lenny4_i386.deb
735ad05cd093d0bec0f7e1ebb77c5acafd07a8a6306406e1e492fd5e33a7358f 42218 libpcsclite1_1.4.102-1+lenny4_i386.deb
Files:
51cbcba6a8c68c94d54bcd6f899f3d0b 1269 misc extra pcsc-lite_1.4.102-1+lenny4.dsc
bcfa5dd5d76b3020f94b029da764d288 643165 misc extra pcsc-lite_1.4.102.orig.tar.gz
011e298b7d72799badc6d171ebe809ad 14048 misc extra pcsc-lite_1.4.102-1+lenny4.diff.gz
683fe74ca9e1ac42d89f479d2ac89954 73472 misc extra pcscd_1.4.102-1+lenny4_i386.deb
7eb2f9469cb21874497edc2877ede8da 55940 libdevel optional libpcsclite-dev_1.4.102-1+lenny4_i386.deb
debefaf054cb17a53c19fecfbe530ef9 42218 libs optional libpcsclite1_1.4.102-1+lenny4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk07GksACgkQwM/Gs81MDZ333gCaAltAU0p8Dn/CJ+8Sf8PFMCO0
3ZoAn1NAgR1jWB8tYo3QOCWb6T80QEvx
=NoA5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 20 Mar 2011 07:48:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:32:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon