libopensc: CVE-2010-4523: buffer overflow from rogue cards

Debian Bug report logs - #607427
libopensc: CVE-2010-4523: buffer overflow from rogue cards

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: submit@bugs.debian.org

Cc: debian-security@lists.debian.org

Subject: libopensc: protect for possible buffer overflows from rogue cards.

Date: Sat, 18 Dec 2010 11:29:19 +0100

[Message part 1 (text/plain, inline)]

Package: libopensc2
Version: 0.11.4-5+lenny1
Tags: security
Severity: critical

Hi,

a buffer overflow vulnerability was detected in libopensc.

For details please see this press article (German: [1], English: [2])
and the detailed report[3] including a proof-of-concept by MWR
InfoSecurity[4].

The OpenSC developers have released a patch which should fix this
vulnerability[5].

If Debian isn't affected by this vulnerability or if it has already been
fixed, please don't hesitate to downgrade or close this bug.

Best regards

Alexander Kurtz

[1] http://www.heise.de/security/meldung/Wenn-die-Smartcard-den-Rechner-rootet-1154599.html
[2] http://www.h-online.com/open/news/item/When-a-smart-card-can-root-your-computer-1154829.html
[3] http://labs.mwrinfosecurity.com/files/Advisories/mwri_opensc-get-serial-buffer-overflow_2010-12-13.pdf
[4] http://www.mwrinfosecurity.com/index.php
[5] https://www.opensc-project.org/opensc/changeset/4913

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 607427@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 607427@bugs.debian.org

Subject: opensc: diff for NMU version 0.11.13-1.1

Date: Wed, 22 Dec 2010 14:58:00 +0000

[Message part 1 (text/plain, inline)]

Dear maintainer,

I've prepared an NMU for opensc (versioned as 0.11.13-1.1) and
uploaded it immediately, given the security concern and urgency.

The diff is attached to this message. I have subscribed to the
package in the PTS in case of problems or any further action
required, but please don't hesitate to mail me.

Regards.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[opensc-0.11.13-1.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 607427-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 607427-close@bugs.debian.org

Subject: Bug#607427: fixed in opensc 0.11.13-1.1

Date: Wed, 22 Dec 2010 15:02:12 +0000

Source: opensc
Source-Version: 0.11.13-1.1

We believe that the bug you reported is fixed in the latest version of
opensc, which is due to be installed in the Debian FTP archive:

libopensc2-dbg_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2-dbg_0.11.13-1.1_amd64.deb
libopensc2-dev_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2-dev_0.11.13-1.1_amd64.deb
libopensc2_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2_0.11.13-1.1_amd64.deb
mozilla-opensc_0.11.13-1.1_amd64.deb
  to main/o/opensc/mozilla-opensc_0.11.13-1.1_amd64.deb
opensc_0.11.13-1.1.debian.tar.bz2
  to main/o/opensc/opensc_0.11.13-1.1.debian.tar.bz2
opensc_0.11.13-1.1.dsc
  to main/o/opensc/opensc_0.11.13-1.1.dsc
opensc_0.11.13-1.1_amd64.deb
  to main/o/opensc/opensc_0.11.13-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607427@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated opensc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Dec 2010 14:20:22 +0000
Source: opensc
Binary: opensc libopensc2-dev libopensc2 libopensc2-dbg mozilla-opensc
Architecture: source amd64
Version: 0.11.13-1.1
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 libopensc2 - Smart card library with support for PKCS#15 compatible smart card
 libopensc2-dbg - Debugging symbols for libopensc2
 libopensc2-dev - OpenSC development files
 mozilla-opensc - Mozilla plugin for authentication using OpenSC
 opensc     - Smart card utilities with support for PKCS#15 compatible cards
Closes: 607427
Changes: 
 opensc (0.11.13-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2010-4523: Protect against buffer overflow from rogue cards
     (closes: #607427)
Checksums-Sha1: 
 98b9be9d1dd9da7cee566f38f110114d9d39bd08 1995 opensc_0.11.13-1.1.dsc
 67b12fc2c2d962c70dc9d98277981b0b57bb4f2f 10383 opensc_0.11.13-1.1.debian.tar.bz2
 0fe697179c4b587430dc0d97c6912f5b32e4f26e 339498 opensc_0.11.13-1.1_amd64.deb
 ea47e3d73b5040ac743d8747eecf87bb7c6c1b7d 861132 libopensc2-dev_0.11.13-1.1_amd64.deb
 e317759ea441a247da7c18727ec751e356d5aa61 702590 libopensc2_0.11.13-1.1_amd64.deb
 804febc2a1ae20e6699a9f3dcffb5476492004b2 1393148 libopensc2-dbg_0.11.13-1.1_amd64.deb
 e20e8821805483e04e4de227fcb868ded9c20a19 191686 mozilla-opensc_0.11.13-1.1_amd64.deb
Checksums-Sha256: 
 396843a723b9c5989dab644f1675e3362471b9d48089b34e5399b776dc1ff390 1995 opensc_0.11.13-1.1.dsc
 84c0b02d981d7384cbab9fae57b92a14feeaf7befe89efe2581c1bc7bf466157 10383 opensc_0.11.13-1.1.debian.tar.bz2
 03181ca349896de431439fafcc4d9708ceeebddbb6993c3166bec3326cd25fdf 339498 opensc_0.11.13-1.1_amd64.deb
 d445ab45b6645f9c1b6cef171cbd1c0683d36f8efba36e8a30072c2c8b3c615d 861132 libopensc2-dev_0.11.13-1.1_amd64.deb
 296b612b388d9079b9e0919d977fc117b62556ea0fe96cda25ef3550b8203171 702590 libopensc2_0.11.13-1.1_amd64.deb
 53f425d44366a183f5aa8d7fce00ec03387934616d108529230f1d1da44e93ef 1393148 libopensc2-dbg_0.11.13-1.1_amd64.deb
 9e5d312d2b553b01437d7297086a563c3f3196957a1c02ef0494659da37d9bfc 191686 mozilla-opensc_0.11.13-1.1_amd64.deb
Files: 
 9bd07d38a0ad43343cda22986c6f2594 1995 utils extra opensc_0.11.13-1.1.dsc
 fe093bdea970f4171fe1cff6d1a52656 10383 utils extra opensc_0.11.13-1.1.debian.tar.bz2
 07624a417507b5412b1100ab829efa9c 339498 utils extra opensc_0.11.13-1.1_amd64.deb
 d791fbe053a5498c05807c219c26191d 861132 libdevel optional libopensc2-dev_0.11.13-1.1_amd64.deb
 e255900a05e80c9a251378c98bcceea9 702590 libs optional libopensc2_0.11.13-1.1_amd64.deb
 3237388638ec1ed308d95681e3db90f1 1393148 debug extra libopensc2-dbg_0.11.13-1.1_amd64.deb
 408ee99729e2ca267fed3864413c2c97 191686 web extra mozilla-opensc_0.11.13-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNEg64AAoJEFOUR53TUkxR7KAQAIpHv8dbGEwt8OcnSFtWoW6a
IQKli05qud+e2+ivAqy4IXSbOS4qwuyWOF1GdgaRGiQXkf8S9+M8x/stpJgqyMo+
a7Oynl+llO445z8TYRzhEXGSvxnEYIbtOyPQITOrmMjpzwhMp7JpF4LfoNOhhsTc
MrZB9G1VatImt7XbFucz1SrMR/hrrLRC56bo3lgXvs5fkXKgdBhxJf86RqVIogTM
/rzTtndNtGPwzAiaMXutAKCwAua5+QG+ZHjSfAe30llCDxiyTbwt+JPpcqsu7zPT
GmjTJpVmhyiKC0c9XH5g0MQfwGXe5S3+EB+oQyFUVb5iibX6uisvgNpHTJgsWXz8
Sjc4dNbOIuDAUp3qDNFtZ7ReVZYuuXf1ySQGc0FK9wEbLYJu37ugaOW7vYMClcHH
rbhKGsVGPTTb+iaiNbwKR+VH/CLj9IbRRRTsNN3Nfk1eN/awzAWKpNCcDzOTISIq
csGEzYWLfK3pyBxISiKrZNXqq14fPMtIJCaeeS+kTBd8gNhQQxy853ozIIg0iVA4
QxIVqwSy4lCZWBAbyCULCUzo+v7VHUhJCrv9jgm5tBew7fq4m6bgLtt/qGTNj4PV
k0fz+o4V5BOlp6S5FOwwz4c0PZsYcBfhxAtm4+IFaluAqIGA0e6KqOsyRhlfxrYn
2PWmAX6UNa3P/B5/otcW
=Z/9a
-----END PGP SIGNATURE-----

Message #39 received at 607427@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: debian-release@lists.debian.org

Cc: 607427@bugs.debian.org

Subject: [SRM] Proposed stable update for opensc (maybe nmu; fixes CVE-2010-4523)

Date: Wed, 22 Dec 2010 15:40:55 +0000

[Message part 1 (text/plain, inline)]

This patch has come from two upstream commits to fix the CVE and the
debdiff for an nmu is attached. If it's ok with you, I'll go ahead with if
the maintainer hasn't already done so in a day or so.

jmm has confirmed there will be no DSA for it.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[opensc-stable.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 607427@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: debian-release@lists.debian.org, 607427@bugs.debian.org

Subject: Re: [SRM] Proposed stable update for opensc (maybe nmu; fixes CVE-2010-4523)

Date: Thu, 23 Dec 2010 17:28:01 +0100

[Message part 1 (text/plain, inline)]

On Wed, Dec 22, 2010 at 15:40:55 +0000, Jonathan Wiltshire wrote:

> This patch has come from two upstream commits to fix the CVE and the
> debdiff for an nmu is attached. If it's ok with you, I'll go ahead with if
> the maintainer hasn't already done so in a day or so.
> 
> jmm has confirmed there will be no DSA for it.
> 
Does this include the fixes for the issues referenced in
http://article.gmane.org/gmane.comp.security.oss.general/3978, assuming
lenny is affected?  (AFAICT they don't have CVE IDs yet)

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #49 received at 607427@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: debian-release@lists.debian.org, 607427@bugs.debian.org

Subject: Re: [SRM] Proposed stable update for opensc (maybe nmu; fixes CVE-2010-4523)

Date: Thu, 23 Dec 2010 11:53:24 -0500

On Thu, 23 Dec 2010 17:28:01 +0100, Julien Cristau wrote:
> On Wed, Dec 22, 2010 at 15:40:55 +0000, Jonathan Wiltshire wrote:
> 
> > This patch has come from two upstream commits to fix the CVE and the
> > debdiff for an nmu is attached. If it's ok with you, I'll go ahead with if
> > the maintainer hasn't already done so in a day or so.
> > 
> > jmm has confirmed there will be no DSA for it.
> > 
> Does this include the fixes for the issues referenced in
> http://article.gmane.org/gmane.comp.security.oss.general/3978, assuming
> lenny is affected?  (AFAICT they don't have CVE IDs yet)

No, those affect different packages (pcsc-lite and ccid).  I've checked
and lenny is affected by those as well.

Mike

Message #54 received at 607427@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: debian-release@lists.debian.org, 607427@bugs.debian.org

Subject: Re: [SRM] Proposed stable update for opensc (maybe nmu; fixes CVE-2010-4523)

Date: Sun, 26 Dec 2010 22:20:08 +0100

[Message part 1 (text/plain, inline)]

On Wed, Dec 22, 2010 at 15:40:55 +0000, Jonathan Wiltshire wrote:

> This patch has come from two upstream commits to fix the CVE and the
> debdiff for an nmu is attached. If it's ok with you, I'll go ahead with if
> the maintainer hasn't already done so in a day or so.
> 
> jmm has confirmed there will be no DSA for it.
> 
Please go ahead.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Message #59 received at 607427-close@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 607427-close@bugs.debian.org

Subject: Bug#607427: fixed in opensc 0.11.4-5+lenny1.1

Date: Mon, 27 Dec 2010 02:00:41 +0000

Source: opensc
Source-Version: 0.11.4-5+lenny1.1

We believe that the bug you reported is fixed in the latest version of
opensc, which is due to be installed in the Debian FTP archive:

libopensc2-dbg_0.11.4-5+lenny1.1_amd64.deb
  to main/o/opensc/libopensc2-dbg_0.11.4-5+lenny1.1_amd64.deb
libopensc2-dev_0.11.4-5+lenny1.1_amd64.deb
  to main/o/opensc/libopensc2-dev_0.11.4-5+lenny1.1_amd64.deb
libopensc2_0.11.4-5+lenny1.1_amd64.deb
  to main/o/opensc/libopensc2_0.11.4-5+lenny1.1_amd64.deb
mozilla-opensc_0.11.4-5+lenny1.1_amd64.deb
  to main/o/opensc/mozilla-opensc_0.11.4-5+lenny1.1_amd64.deb
opensc_0.11.4-5+lenny1.1.diff.gz
  to main/o/opensc/opensc_0.11.4-5+lenny1.1.diff.gz
opensc_0.11.4-5+lenny1.1.dsc
  to main/o/opensc/opensc_0.11.4-5+lenny1.1.dsc
opensc_0.11.4-5+lenny1.1_amd64.deb
  to main/o/opensc/opensc_0.11.4-5+lenny1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607427@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <jmw@debian.org> (supplier of updated opensc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Dec 2010 15:32:16 +0000
Source: opensc
Binary: opensc libopensc2-dev libopensc2 libopensc2-dbg mozilla-opensc
Architecture: source amd64
Version: 0.11.4-5+lenny1.1
Distribution: stable
Urgency: high
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Jonathan Wiltshire <jmw@debian.org>
Description: 
 libopensc2 - SmartCard library with support for PKCS#15 compatible smart cards
 libopensc2-dbg - debugging symbols for libopensc2
 libopensc2-dev - OpenSC development files
 mozilla-opensc - Mozilla plugin for authentication using OpenSC
 opensc     - SmartCard utilities with support for PKCS#15 compatible cards
Closes: 607427
Changes: 
 opensc (0.11.4-5+lenny1.1) stable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2010-4523: Protect against buffer overflow from rogue cards
     (closes: #607427)
Checksums-Sha1: 
 98ea7e71bde87d80482c82bd4406965fad839395 1988 opensc_0.11.4-5+lenny1.1.dsc
 b22c5005c2832616868d76be4d2b28e022d33106 60305 opensc_0.11.4-5+lenny1.1.diff.gz
 fbdf15c7e4d8c0202d8080e364ea46b8673441d7 389488 opensc_0.11.4-5+lenny1.1_amd64.deb
 1875b7e91562087b2b7cdf58ee8d6feb219dff94 1220944 libopensc2-dev_0.11.4-5+lenny1.1_amd64.deb
 fa0519a810166f8fbb21e41f224c09eb69860a2d 599580 libopensc2_0.11.4-5+lenny1.1_amd64.deb
 6a764c51d9aa577ad583e646d8ac99f25e4b0cba 1249982 libopensc2-dbg_0.11.4-5+lenny1.1_amd64.deb
 b19adfcfdcb09ade7b66a77e1e024805a746215e 170792 mozilla-opensc_0.11.4-5+lenny1.1_amd64.deb
Checksums-Sha256: 
 4cd49a1728aaef3d714b2958b3086ea834cac37601c67af145aa4209d678a0b1 1988 opensc_0.11.4-5+lenny1.1.dsc
 83c15ebd38b2b489528b7c35b4399eb1bedb4510770879119f5cdc4dffbeffb3 60305 opensc_0.11.4-5+lenny1.1.diff.gz
 4ddd9d85dec3879aad07fec2a7b8c5e4555a71f86e6cf83796aa518171eb57d7 389488 opensc_0.11.4-5+lenny1.1_amd64.deb
 21e8377b7eba65faed574337df08fb5a8572f2500655b1cb950b4d71d8ab22bf 1220944 libopensc2-dev_0.11.4-5+lenny1.1_amd64.deb
 b240b8d0d29dba797308d862fb54b7584315cfd1d5cff017937c8278ec59d1e5 599580 libopensc2_0.11.4-5+lenny1.1_amd64.deb
 b4cccde2327d36503963cee31677f45967ae35a38dea79f90a04644e566b98ff 1249982 libopensc2-dbg_0.11.4-5+lenny1.1_amd64.deb
 b305a65d67ef6c4097e7ab65144edfe6a6a4918eda47f65e5eee374badbfd985 170792 mozilla-opensc_0.11.4-5+lenny1.1_amd64.deb
Files: 
 99f48e9c291e8383eadeb8c4db64e11d 1988 utils extra opensc_0.11.4-5+lenny1.1.dsc
 49ca668f31879fa504a382e3c7f557fb 60305 utils extra opensc_0.11.4-5+lenny1.1.diff.gz
 0b77f6fce55008e895d88ce0adca3cf4 389488 utils extra opensc_0.11.4-5+lenny1.1_amd64.deb
 3caedc1e97393bea324158d3b61992f4 1220944 libdevel optional libopensc2-dev_0.11.4-5+lenny1.1_amd64.deb
 58de77cd72b3d4acf5607787ab4eb600 599580 libs optional libopensc2_0.11.4-5+lenny1.1_amd64.deb
 2e7f3b751a673e6979e2234181f06a99 1249982 devel extra libopensc2-dbg_0.11.4-5+lenny1.1_amd64.deb
 9751554fd792a68e8a811b46eb5255ae 170792 web extra mozilla-opensc_0.11.4-5+lenny1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNF7IcAAoJEFOUR53TUkxR3e0P/icV2BHGi/VCMbNOf/IrEuzu
6wNV5rTs1HcaYoNDbcHae/+xTnrVaWycn390GJYqPtBtfEsuRvdXS/guCAK3Yq4S
LwIjHO/XVDIxGKF/GansZ7zicmQVBYu343OGdPBJbwRe+l04XHTxLSG43IPh/AV0
RpDIMN/24utf3O2QHXCSud2ks3FLg4u7uUB4RNIHyJXoBKJD9xNlcPJrky2B4RGa
aWZdgRdXtqbs0itATC82s6NAkcMb9m4uHv86vW4Tl3aIqeYnjPyUx2xCbRsclH+h
1AU6dy8c4UNj0Jh/buRmvF+afl28T2i5oEblRC47cd57ok5c+dRyQ0BnPyMVLZdX
mQM4mnurvDpXpjPd6Jm6uDo6Gkty/FQ4i19Oy+FWDxyfwh4ukpB2wYsCUUk71QYc
w/CDTYYeYLg0+fuCrrNA8wg83EB3k4z3I5bB8vFwdAEj5AJ4K5EeMTZ6pJQh4LGP
uwhqGJwWl2Ni/H0zcZhzwQxikv0K+WOhIQkbmJFcsVK5isCQWXHHeFLOdrcjEeOx
oW7KlVtBNjTiGEYSoBzrvX+nPtZG4TrJlVb5AKKLULWXqHeC0aFNoo/xJcuWilCz
VxEQo47u+Upq9FgImJ67cPuoo5gO+6LoPp5jmnAlQ6qgFbtEXOstKCjfkjgVkKdb
1JE9LUrdiZie3v4BbSck
=6nYn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.