opensc: CVE-2023-40661

Debian Bug report logs - #1055522
opensc: CVE-2023-40661

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: opensc: CVE-2023-40661

Date: Tue, 07 Nov 2023 21:04:05 +0100

Source: opensc
Version: 0.23.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for opensc.

CVE-2023-40661[0]:
| Several memory vulnerabilities were identified within the OpenSC
| packages, particularly in the card enrollment process using
| pkcs15-init when a user or administrator enrolls cards. To take
| advantage of these flaws, an attacker must have physical access to
| the computer system and employ a custom-crafted USB device or smart
| card to manipulate responses to APDUs. This manipulation can
| potentially allow   compromise key generation, certificate loading,
| and other card management operations during enrollment.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Note that this CVE covers various of the oss-fuzz related issues
reported since the 0.23.0 release.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-40661
    https://www.cve.org/CVERecord?id=CVE-2023-40661
[1] https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40661

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 1055522-submitter@bugs.debian.org (full text, mbox, reply):

From: Bastian Germann <noreply@salsa.debian.org>

To: 1055522-submitter@bugs.debian.org

Subject: Bug#1055522 marked as pending in opensc

Date: Wed, 08 Nov 2023 00:28:50 +0000

Control: tag -1 pending

Hello,

Bug #1055522 in opensc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/opensc-team/opensc/-/commit/8026fb4ca0ed53d970c6c497252eb264d4192d50

------------------------------------------------------------------------
Fix CVE-2023-40661 with upstream patches (Closes: #1055522)

Two of the identified patch fixes are not included because
they fix code that is not yet contained in 0.23.0.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1055522

Message #15 received at 1055522-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1055522-close@bugs.debian.org

Subject: Bug#1055522: fixed in opensc 0.23.0-2

Date: Wed, 08 Nov 2023 00:49:21 +0000

Source: opensc
Source-Version: 0.23.0-2
Done: Bastian Germann <bage@debian.org>

We believe that the bug you reported is fixed in the latest version of
opensc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1055522@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <bage@debian.org> (supplier of updated opensc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 08 Nov 2023 01:26:46 +0100
Source: opensc
Architecture: source
Version: 0.23.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSC Maintainers <pkg-opensc-maint@lists.alioth.debian.org>
Changed-By: Bastian Germann <bage@debian.org>
Closes: 1055520 1055521 1055522
Changes:
 opensc (0.23.0-2) unstable; urgency=medium
 .
   * Team upload
   * Fix CVE-2023-4535 with two upstream patches (Closes: #1055520)
   * Fix CVE-2023-40660 with upstream patch (Closes: #1055521)
   * Fix CVE-2023-40661 with upstream patches (Closes: #1055522)
Checksums-Sha1:
 76c468d9c8e9d443f92e98aaf01e0585101294c9 2012 opensc_0.23.0-2.dsc
 e5ddbe948317d4b8cd70d1f6430be93cb6400a7a 23572 opensc_0.23.0-2.debian.tar.xz
 23d1b794b5e9014ae1cff6c59da6897c31219fea 6929 opensc_0.23.0-2_source.buildinfo
Checksums-Sha256:
 350ec0f21a00a6ff83b822ee4911c88f559b101a22cfd2876c3cf2406e86be9f 2012 opensc_0.23.0-2.dsc
 a9f8020f176a8df5005348de9db71786c2f20da65b6166168dbe1bd75eef56a3 23572 opensc_0.23.0-2.debian.tar.xz
 ef54460b4e0498e269daf9daf1029ed2674f91642fcd71b6863297b745afcaf3 6929 opensc_0.23.0-2_source.buildinfo
Files:
 4a492105a5443a6d672d500a83eb7939 2012 utils optional opensc_0.23.0-2.dsc
 5ed855e8f6cfd17c045a97a3902da186 23572 utils optional opensc_0.23.0-2.debian.tar.xz
 16012c5b6a48c472bdfaf249f2b9f8bd 6929 utils optional opensc_0.23.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmVK1jwQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFNebDADXp3Wdb8ypffbdFxVpgqLEPvQcjRzuuaAg
b6Z6RkMHUpiiRnTintvxHz5iQjrfZHUhetV6kD8mMsEiYPCOYV3nLz6vIknQGwwI
lhm8FY3doLtGBiVc7n/x+CaJvl67eKAxt78mV+jVyhd/vOr7QRgAJ415bmcCpj3v
TVIVGxPDI0awbMYFs47+S1qqHevcIC8HyimwD73kW5nsjDdfFQ8RXRAuWF/ufr+q
AM3qUEq2TVlNzsIIQ+Npu/R9/9MaHNjVAwcjUtYxtp6/DirX6I9qv1taNhQy1Vez
m9Rn2XqVM64mPuc3FU/1KaBhZGxXOYkMt/HAjQQDraD2INptICDqm98r1inGTHoX
KW8/zAz4s0u2Al7XsVDrOS1enVItW/LM76DTIdMAqtFaJIIOO2G+5rU9AnOBjWKt
nwmZi01kl2TFjtVOe7kdX06ybNeqVW9f70jXb65Ff4RjVWDLB+Ib/nC7S38CYNTY
/bBgfskjYDqfWP0qpLUnc/A38wNlNKo=
=2Pb7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.