Summary: | <sys-apps/pcsc-lite-1.6.6: Stack Overflow Vulnerability (CVE-2010-4531) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 349559, 349567, 349813 | ||
Bug Blocks: |
Description
Tim Sammut (RETIRED)
2010-12-24 03:55:48 UTC
Can you _please_ ask the maintainer before asking arches to mark stuff stable? This needs _at least_ to go stable *at the same time* of the latest ccid, and there are likely other revdeps that need to go stable at the same time. And at least one package that upstream (same author) didn't update to work with the new udev-based discovery. (In reply to comment #1) > Can you _please_ ask the maintainer before asking arches to mark stuff stable? > My apologies. Please let us know when/if this can go stable and with which other dependencies. List of packages to stable _at the same time_ for the arch teams: sys-apps/pcsc-lite-1.6.6-r1 app-crypt/ccid-1.4.1-r1 [older ccid won't work with new pcsc-lite, newer ccid won't work with old pcsc-lite] dev-libs/opensc-0.11.13-r2 [-r0 will not work; -r2 also fixes buffer overflows] net-misc/rdesktop-1.6.0-r4 [I didn't want to fix the previous versions, see the dependent bugs] (Tim can you please open the rdesktop stable bug as well? Thanks!) Arches, please test and mark stable: =sys-apps/pcsc-lite-1.6.6 Target keywords : "amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" This must be stabilized at the same time with: app-crypt/ccid-1.4.1-r1 in bug 349559 dev-libs/opensc-0.11.13-r2 in bug 349567 net-misc/rdesktop-1.6.0-r4 in bug 349835 amd64 done Stable for HPPA PPC. x86 done. arm stable alpha/arm/ia64/m68k/s390/sh/sparc ppc64 stable, last arch done Thanks, everyone. GLSA request filed. CVE-2010-4531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4531): Stack-based buffer overflow in the ATRDecodeAtr function in the Answer-to-Reset (ATR) Handler (atrhandler.c) for pcscd in PCSC-Lite 1.5.3, and possibly other 1.5.x and 1.6.x versions, allows physically proximate attackers to cause a denial of service (crash) and possibly execute arbitrary code via a smart card with an ATR message containing a long attribute value. security: why does this still open (and its dependencies)? (In reply to comment #13) > security: why does this still open (and its dependencies)? pending advisory (In reply to comment #14) > (In reply to comment #13) > > security: why does this still open (and its dependencies)? > > pending advisory Thanks! From 2011-01-21? This issue was resolved and addressed in GLSA 201401-17 at http://security.gentoo.org/glsa/glsa-201401-17.xml by GLSA coordinator Sean Amoss (ackle). |