Debians sikkerhedsbulletin

DSA-1627-2 opensc -- programmeringsfejl

Rapporteret den:
4. aug 2008
Berørte pakker:
opensc
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2008-2235.
Yderligere oplysninger:

Chaskiel M Grundman opdagede at opensc, et bibliotek og værktøjer til håndtering af smartcards, initialiserede smartcards med kortstyresystemet Siemens CardOS M4 uden de korrekte adgangsrettigheder. Dette gjorde det muligt for alle at ændre kortets PIN-kode.

I forbindelse med denne fejl kunne alle ændre en bruger-PIN-kode uden at have PIN- eller PUK-koden eller superbrugerens PIN- eller PUK-kode. Dog kunne fejlen ikke anvendes til at regne PIN-koden ud. Hvis PIN-koden på dit kort er den samme som altid, er der en god sandsynlighed for at sårbarheden ikke har været udnyttet.

Sårbarheden påvirker kun smartcards og USB-cryptotokens baseret på Siemens CardOS M4, og inden for denne gruppe kun dem, der har været initialiseret med OpenSC. Brugere af andre smartcard og USB-cryptotokens, eller kort der har været initialiseret med andet programmel end OpenSC, er ikke påvirket.

Efter opgradering af pakken, vil udførelse af kommendoen pkcs15-tool -T vise hvorvidt kortet er i orden eller sårbart. Hvis kortet er sårbart, skal du ændre sikkerhedsindstillingen ved hjælp af: pkcs15-tool -T -U.

I den stabile distribution (etch), er dette problem rettet i version 0.11.1-2etch2.

I den ustabile distribution (sid), er dette problem rettet i version 0.11.4-5.

Vi anbefaler at du opgraderer din opensc-pakke og kontrollerer dine kort med den oven for beskrevne kommando.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1.orig.tar.gz
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2.diff.gz
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2.dsc
Alpha:
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_alpha.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_amd64.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_arm.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_arm.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_arm.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_arm.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_hppa.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_i386.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_i386.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_i386.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_i386.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_ia64.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_mips.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_mips.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_mips.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_mips.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_mipsel.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_powerpc.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_s390.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_s390.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_s390.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_s390.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_sparc.deb
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.