[SECURITY] [DLA 3668-1] opensc security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3668-1] opensc security update
From: Guilhem Moulin <guilhem@debian.org>
Date: Mon, 27 Nov 2023 02:09:23 +0100
Message-id: <[🔎] ZWPsQzCsK_2asD6e@debian.org>
Mail-followup-to: debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3668-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Guilhem Moulin
November 27, 2023                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : opensc
Version        : 0.19.0-1+deb10u3
CVE ID         : CVE-2023-40660 CVE-2023-40661
Debian Bug     : 1055521 1055522

Vulnerabilities were found in opensc, a set of libraries and utilities
to access smart cards, which could lead to application crash or PIN
bypass.

CVE-2023-40660

    When the token/card was plugged into the computer and authenticated
    from one process, it could be used to provide cryptographic
    operations from different process when the empty, zero-length PIN
    and the token can track the login status using some of its
    internals.  This is dangerous for OS logon/screen unlock and small
    tokens that are plugged permanently to the computer.

    The bypass was removed and explicit logout implemented for most of
    the card drivers to prevent leaving unattended logged-in tokens.

CVE-2023-40661

    This advisory summarizes automatically reported issues from dynamic
    analyzers reports in pkcs15-init that are security relevant.

      * stack buffer overflow in sc_pkcs15_get_lastupdate() in pkcs15init;
      * heap buffer overflow in setcos_create_key() in pkcs15init;
      * heap buffer overflow in cosm_new_file() in pkcs15init;
      * stack buffer overflow in cflex_delete_file() in pkcs15init;
      * heap buffer overflow in sc_hsm_write_ef() in pkcs15init;
      * stack buffer overflow while parsing pkcs15 profile files;
      * stack buffer overflow in muscle driver in pkcs15init; and
      * stack buffer overflow in cardos driver in pkcs15init.

    All of these require physical access to the computer at the time
    user or administrator would be enrolling the cards (generating keys
    and loading certificates, other card/token management) operations.
    The attack requires crafted USB device or smart card that would
    present the system with specially crafted responses to the APDUs so
    they are considered a high-complexity and low-severity.  This issue
    is not exploitable just by using a PKCS#11 module as done in most of
    the end-user deployments.

For Debian 10 buster, these problems have been fixed in version
0.19.0-1+deb10u3.

We recommend that you upgrade your opensc packages.

For the detailed security status of opensc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opensc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3667-1] python-requestbuilder PEP440 version update
Next by Date: [SECURITY] [DLA 3669-1] cryptojs security update
Previous by thread: [SECURITY] [DLA 3667-1] python-requestbuilder PEP440 version update
Next by thread: [SECURITY] [DLA 3669-1] cryptojs security update
Index(es):
- Date
- Thread