The CAC(Common Access Card) library is vulnerable to a host memory leakage issue. It could occur while allocating a new APDU object using guest supplied raw byte stream in 'vcard_apdu_new'. Upstream patch: --------------- https://cgit.freedesktop.org/spice/libcacard/commit/?id=9113dc6a303604a2d9812ac70c17d076ef11886c
@ Maintainer(s): Please bump to >=app-emulation/libcacard-2.5.3!
CVE-2017-6414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6414): Memory leak in the vcard_apdu_new function in card_7816.c in libcacard before 2.5.3 allows local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object.
please bump!
I've looked into bumping it. It's an easy bump and tests pass, but I don't know how to use this library so I can't actually verify that it works. Because our target delay is long passed due and because the maintainer is unresponsive, what do you think we should so, security team? Mask the package and corresponding revdeps USE flags and schedule for removal?
I'm working on it. Already bumped and built locally, need to test it though.
ok, libcacard-2.6.0 seems to work, although qemu needed a patch to work with libvirt/virt-manager with smartcard support enabled: https://git.qemu.org/?p=qemu.git;a=patch;h=e58d64a;hp=a4207e3b00e89f934adb231057dcf9a75ac2ae45. Tested as follows: * USE="passthrough" for libcacard (new flag, on by default) * USE="smartcard" for spice, spice-gtk and qemu * setup a VM using virt-manager (via libvirt and qemu) * add a virtual smartcard passthrough device to this machine * create a software smartcard and connect to the VM as described in https://www.spice-space.org/smartcard-usage.html * in the VM: * install pcsc-lite and -tools + coolkey * start pcscd * run pcsc_scan * you should get something like: Possibly identified card (...): 3B 89 ... Coolkey emulated card using virtual viewer with nssdb (eID)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc51b968eb58887c91e46184734f98a6ac2c4cce commit bc51b968eb58887c91e46184734f98a6ac2c4cce Author: Tiziano Müller <dev-zero@gentoo.org> AuthorDate: 2018-08-14 15:12:25 +0000 Commit: Tiziano Müller <dev-zero@gentoo.org> CommitDate: 2018-08-14 15:14:48 +0000 app-emulation/libcacard: version bump for #611348 adding a new (default-on) USE flag to reduce deps for people wanting virtual certificate-based smartcards only Bug: https://bugs.gentoo.org/611348 Package-Manager: Portage-2.3.45, Repoman-2.3.10 app-emulation/libcacard/Manifest | 1 + app-emulation/libcacard/libcacard-2.6.0.ebuild | 31 ++++++++++++++++++++++++++ app-emulation/libcacard/metadata.xml | 3 +++ 3 files changed, 35 insertions(+)
This bug's workflow is blocked. The ebuild was submitted a while ago, but stabilization was never requested. Arches, please stabilize app-emulation/libcacard-2.6.0. Thanks!
amd64 stable
Stable on alpha.
arm stable
Fails testsuite on ppc (see bug #670747).
I've reduced the test suite to avoid pulling in (and requiring fast stabilization of) SoftHSMv2 for now, please retry
(In reply to Tiziano Müller from comment #13) > I've reduced the test suite to avoid pulling in (and requiring fast > stabilization of) SoftHSMv2 for now, please retry ERROR: tests/simpletlv - too few tests run (expected 9, got 1) ERROR: tests/simpletlv - exited with status 134 (terminated by signal 6?)
@whissi do you have more info? That's what I get (with USE="passthrough"): [...] make check-TESTS make[3]: Entering directory '/var/tmp/portage/app-emulation/libcacard-2.6.0/work/libcacard-2.6.0' make[4]: Entering directory '/var/tmp/portage/app-emulation/libcacard-2.6.0/work/libcacard-2.6.0' PASS: tests/simpletlv 1 /simpletlv/length/simple PASS: tests/simpletlv 2 /simpletlv/length/nested PASS: tests/simpletlv 3 /simpletlv/length/skipped PASS: tests/simpletlv 4 /simpletlv/encode/simple PASS: tests/simpletlv 5 /simpletlv/encode/nested PASS: tests/simpletlv 6 /simpletlv/encode/skipped PASS: tests/simpletlv 7 /simpletlv/parse/simple PASS: tests/simpletlv 8 /simpletlv/parse/last_bad PASS: tests/simpletlv 9 /simpletlv/clone/simple PASS: tests/libcacard 1 /libcacard/list PASS: tests/libcacard 2 /libcacard/card-remove-insert PASS: tests/libcacard 3 /libcacard/xfer PASS: tests/libcacard 4 /libcacard/select-coid PASS: tests/libcacard 5 /libcacard/cac-pki PASS: tests/libcacard 6 /libcacard/cac-ccc PASS: tests/libcacard 7 /libcacard/cac-aca PASS: tests/libcacard 8 /libcacard/get-response PASS: tests/libcacard 9 /libcacard/check-login-count PASS: tests/libcacard 10 /libcacard/login PASS: tests/libcacard 11 /libcacard/sign PASS: tests/libcacard 12 /libcacard/empty-applets PASS: tests/libcacard 13 /libcacard/gp-applet PASS: tests/libcacard 14 /libcacard/invalid-properties-apdu PASS: tests/libcacard 15 /libcacard/invalid-select-apdu PASS: tests/libcacard 16 /libcacard/invalid-instruction PASS: tests/libcacard 17 /libcacard/invalid-read-buffer PASS: tests/libcacard 18 /libcacard/invalid-acr PASS: tests/libcacard 19 /libcacard/passthrough-applet PASS: tests/libcacard 20 /libcacard/remove ============================================================================ Testsuite summary for libcacard 2.6.0 ============================================================================ # TOTAL: 29 # PASS: 29 # SKIP: 0 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ============================================================================ [...]
ERROR: tests/simpletlv ====================== ** libcacard:ERROR:tests/simpletlv.c:69:test_length_nested: assertion failed (length == -1): (4294967295 == -1) # random seed: R02Sc42f8fde5b5e63107997c77af347685f 1..9 # Start of simpletlv tests # Start of length tests ok 1 /simpletlv/length/simple PASS: tests/simpletlv 1 /simpletlv/length/simple ./build-aux/tap-test: line 5: 7225 Aborted (core dumped) $@ -k --tap # libcacard:ERROR:tests/simpletlv.c:69:test_length_nested: assertion failed (length == -1): (4294967295 == -1) ERROR: tests/simpletlv - too few tests run (expected 9, got 1) ERROR: tests/simpletlv - exited with status 134 (terminated by signal 6?) back trace: Reading symbols from /var/tmp/portage/app-emulation/libcacard-2.6.0/work/libcacard-2.6.0/tests/.libs/simpletlv...done. warning: exec file is newer than core file. [New LWP 7225] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". Core was generated by `/var/tmp/portage/app-emulation/libcacard-2.6.0/work/libcacard-2.6.0/tests/.libs'. Program terminated with signal SIGABRT, Aborted. #0 0xb7f99b55 in __kernel_vsyscall () (gdb) bt #0 0xb7f99b55 in __kernel_vsyscall () #1 0xb7c8486a in __libc_signal_restore_set (set=0xbfb0c80c) at ../sysdeps/unix/sysv/linux/nptl-signals.h:80 #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xb7c8602a in __GI_abort () at abort.c:79 #4 0xb7ecf5f9 in g_assertion_message (domain=<optimized out>, domain@entry=0x434c01 "libcacard", file=<optimized out>, file@entry=0x434bef "tests/simpletlv.c", line=<optimized out>, line@entry=69, func=<optimized out>, func@entry=0x4352a0 <__func__.9805> "test_length_nested", message=<optimized out>, message@entry=0x790ad0 "assertion failed (length == -1): (4294967295 == -1)") at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2433 #5 0xb7ecf9fc in g_assertion_message_cmpnum (domain=0x434c01 "libcacard", file=0x434bef "tests/simpletlv.c", line=69, func=0x4352a0 <__func__.9805> "test_length_nested", expr=0x434cb6 "length == -1", arg1=4294967295, cmp=0x434c0b "==", arg2=-1, numtype=105 'i') at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2489 #6 0x00433598 in test_length_nested () at tests/simpletlv.c:69 #7 0xb7eceff1 in test_case_run (tc=0x790430) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2161 #8 g_test_run_suite_internal (suite=suite@entry=0x78ff40, path=path@entry=0x0) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2244 #9 0xb7ecf207 in g_test_run_suite_internal (suite=suite@entry=0x78ff30, path=path@entry=0x0) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2256 #10 0xb7ecf207 in g_test_run_suite_internal (suite=suite@entry=0x78ff20, path=path@entry=0x0) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2256 #11 0xb7ecf3eb in g_test_run_suite (suite=0x78ff20) at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:2332 #12 0xb7ecf40b in g_test_run () at /var/tmp/portage/dev-libs/glib-2.52.3/work/glib-2.52.3/glib/gtestutils.c:1599 #13 0x004318e6 in main (argc=<optimized out>, argv=<optimized out>) at tests/simpletlv.c:368 (gdb)
@whissi backported patch from upstream added to fix test failures on i686
x86 stable
ia64 stable
Fails testsuite on ppc (bug #676676).
ppc64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.