Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 604574 (CVE-2016-10109)

Summary: <sys-apps/pcsc-lite-1.8.20: use-after-free and double-free (CVE-2016-10109)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: crypto+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/01/03/2
Whiteboard: B1 [glsa cve]
Package list:
=sys-apps/pcsc-lite-1.8.20
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-03 22:18:40 UTC
From $URL:

Vulnerability type:
CWE-415, CWE-416

Vendor:
Muscle

Affected Versions:
PCSC-Lite >= 1.6.0, < 1.8.20

Description:
PCSC-Lite[1] is a middleware to access a smart card using the SCard API (PC/SC).
It can be used with GnuPG, OpenSC and others for hardware like the Nitrokey and
Yubikey. These software use a client library (libpcsclite) which communicate
with a daemon (pcscd) that actually accesses the hardware.

The SCardReleaseContext function normally releases resources associated with the
given handle (including "cardsList") and clients should cease using this handle.
A malicious client can however make the daemon invoke SCardReleaseContext and
continue issuing other commands that use "cardsList", resulting in a
use-after-free.  When SCardReleaseContext is invoked multiple times, it
additionally results in a double-free of "cardsList".

The issue allows a local attacker to cause a Denial of Service, but can
potentially result in Privilege Escalation since the daemon is running as root
while any local user can connect to the Unix socket.

Fixed by patch "SCardReleaseContext: prevent use-after-free of cardsList"[2]
which is released with hpcsc-lite 1.8.20 on 30 December 2016[3].

Credit:
This issue was discovered and fixed by Peter Wu (peter@lekensteyn.nl).

Additional information:
The issue is confirmed for:
Arch Linux (1.8.18-1)
CentOS 7 (1.8.8-6.el7)
Debian Jessie (1.8.13-1)
using the PoC from https://lekensteyn.nl/files/pcscd-doublefree-poc.py

    $ python pcscd-doublefree-poc.py run/pcscd.comm
    [*] Sending SCARD_RELEASE_CONTEXT
    [*] Request succeeded, possible vulnerable
    [*] Sending SCARD_RELEASE_CONTEXT (2)
    [+] Daemon crashed, it is vulnerable!

    $ sbin/pcscd --foreground --debug
    ...
    00000167 winscard_svc.c:337:ContextThread() Authorized PC/SC client
    00000011 winscard_svc.c:341:ContextThread() Thread is started: dwClientID=6, threadContext @0x610000007f40
    00000009 winscard_svc.c:359:ContextThread() Received command: RELEASE_CONTEXT from client 6
    00000008 winscard.c:226:SCardReleaseContext() Releasing Context: 0x0
    00000008 winscard_svc.c:470:ContextThread() RELEASE_CONTEXT rv=0x0 for client 6
    00000088 winscard_svc.c:359:ContextThread() Received command: RELEASE_CONTEXT from client 6
    00000012 winscard.c:226:SCardReleaseContext() Releasing Context: 0x0
    =================================================================
    ==11540==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000d728 at pc 0x000000410490 bp 0x7f34ab4dd920 sp 0x7f34ab4dd910
    READ of size 8 at 0x60300000d728 thread T2
        #0 0x41048f in list_clear src/simclist.c:634
        #1 0x4108ba in list_destroy src/simclist.c:303
        #2 0x41843e in MSGRemoveContext src/winscard_svc.c:884
        #3 0x4194f3 in ContextThread src/winscard_svc.c:468
        ...

 [1]: https://pcsclite.alioth.debian.org/
 [2]: https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22
 [3]: http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20161226/000779.html
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-03 22:21:49 UTC
Package is already in tree: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2749795825ac64bb6de11b4af4828fb40453f018


@ Maintainer(s): Can we start stabilization of =sys-apps/pcsc-lite-1.8.20?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2017-01-03 22:24:08 UTC
Go for stable.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-03 22:27:14 UTC
@ Arches,

please test and mark stable: =sys-apps/pcsc-lite-1.8.20
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-01-04 03:19:47 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-04 17:12:39 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:36:48 UTC
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2017-01-08 18:37:53 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-11 10:53:36 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 16:06:20 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:41:19 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:06:01 UTC
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 11:44:38 UTC
Stable for HPPA.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 01:15:29 UTC
Repository is clean.

New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-01 02:33:41 UTC
This issue was resolved and addressed in
 GLSA 201702-01 at https://security.gentoo.org/glsa/201702-01
by GLSA coordinator Aaron Bauman (b-man).