Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 349567 (CVE-2010-4523) - <dev-libs/opensc-0.11.13-r2: Buffer Overflow Vulnerabilities (CVE-2010-4523)
Summary: <dev-libs/opensc-0.11.13-r2: Buffer Overflow Vulnerabilities (CVE-2010-4523)
Status: RESOLVED FIXED
Alias: CVE-2010-4523
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://www.opensc-project.org/opensc...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: CVE-2010-4531
  Show dependency tree
 
Reported: 2010-12-24 04:38 UTC by Tim Sammut (RETIRED)
Modified: 2014-01-21 19:09 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-12-24 04:38:09 UTC
The upstream change at $URL corrects a potential buffer overflow.

Message:
    libopensc: protect for possible buffer overflows from rogue cards.
    Reported by Rafael Dominguez Vega

One public message indicates that this change is also required for the fix:

https://www.opensc-project.org/opensc/changeset/4912
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-12-26 17:30:52 UTC
New ebuild ready, it should work with older pcsc-lite as well so it should be okay to stable already until pcsc-lite is sorted out. 
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-12-26 18:39:57 UTC
(In reply to comment #1)
> New ebuild ready, it should work with older pcsc-lite as well so it should be
> okay to stable already until pcsc-lite is sorted out. 
> 

Thank you.

Arches, please test and mark stable:
=dev-libs/opensc-0.11.13-r2
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

Comment 3 Brent Baude (RETIRED) gentoo-dev 2010-12-27 14:59:26 UTC
ppc64 done
Comment 4 Myckel Habets 2010-12-27 15:13:31 UTC
Builds fine on x86, rdeps build fine. No hardware to test functionality.

Please mark stable for x86.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-27 18:40:57 UTC
Stable for HPPA PPC.
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2010-12-27 20:18:17 UTC
x86 done. Thanks Myckel!
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2010-12-29 10:30:06 UTC
amd64 done
Comment 8 Markus Meier gentoo-dev 2010-12-31 17:42:37 UTC
arm stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-01-01 15:46:10 UTC
alpha/arm/ia64/m68k/s390/sh/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-01-01 15:56:01 UTC
Thanks, everyone. GLSA request filed.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2011-01-21 11:15:28 UTC
CVE-2010-4523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4523):
  Multiple stack-based buffer overflows in libopensc in OpenSC 0.11.13
  and earlier allow physically proximate attackers to execute arbitrary
  code via a long serial-number field on a smart card, related to (1)
  card-acos5.c, (2) card-atrust-acos.c, and (3) card-starcos.c.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 19:09:23 UTC
This issue was resolved and addressed in
 GLSA 201401-18 at http://security.gentoo.org/glsa/glsa-201401-18.xml
by GLSA coordinator Sean Amoss (ackle).