269920 – (CVE-2009-1603) =dev-libs/opensc-0.11.7 generates invalid RSA keys (CVE-2009-1603)

Bug 269920 (CVE-2009-1603) - =dev-libs/opensc-0.11.7 generates invalid RSA keys (CVE-2009-1603)

Summary: =dev-libs/opensc-0.11.7 generates invalid RSA keys (CVE-2009-1603)

Status:	RESOLVED FIXED

Alias:	CVE-2009-1603

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B4 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-05-15 09:12 UTC by Alex Legler (RETIRED)
Modified:	2009-08-01 12:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-05-15 09:12:27 UTC

CVE-2009-1603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1603):
  src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used
  with unspecified third-party PKCS#11 modules, generates RSA keys with
  incorrect public exponents, which allows attackers to read the
  cleartext form of messages that were intended to be encrypted.

Comment 1 Alex Legler (RETIRED) archtester

2009-05-15 09:13:16 UTC

0.11.8 has been released to fix this problem.

Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2009-05-15 22:29:49 UTC

dev-libs/opensc-0.11.8 is now in the tree.

Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2009-05-15 22:31:30 UTC

Please stabilize dev-libs/opensc-0.11.8.

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev

2009-05-16 11:06:50 UTC

Stable on alpha.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2009-05-16 13:42:24 UTC

  16 May 2009; Tobias Klausmann <klausman@gentoo.org> ChangeLog:
  Stable on alpha, bug #269920

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2009-05-16 14:48:37 UTC

(In reply to comment #5)
>   16 May 2009; Tobias Klausmann <klausman@gentoo.org> ChangeLog:
>   Stable on alpha, bug #269920

Fixed. Thanks for the heads up.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2009-05-16 15:40:02 UTC

Stable for HPPA.

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2009-05-18 15:54:01 UTC

x86 stable

Comment 9 Brent Baude (RETIRED) gentoo-dev

2009-05-18 19:02:27 UTC

ppc64 done

Comment 10 Brent Baude (RETIRED) gentoo-dev

2009-05-18 19:02:36 UTC

ppc done

Comment 11 Raúl Porcel (RETIRED) gentoo-dev

2009-05-21 15:54:46 UTC

arm/ia64/m68k/s390/sh/sparc stable

Comment 12 Markus Meier gentoo-dev

2009-05-22 22:45:30 UTC

amd64 stable, all arches done.

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2009-06-12 21:47:02 UTC

Ready to vote, I vote YES.

Comment 14 Tobias Heinlein (RETIRED) gentoo-dev

2009-06-24 16:49:02 UTC

YES too, request filed.

Comment 15 Tobias Heinlein (RETIRED) gentoo-dev

2009-07-30 13:42:19 UTC

Reverted rbu's last change, only 0.11.7 is affected.

Comment 16 Tobias Heinlein (RETIRED) gentoo-dev

2009-08-01 12:38:16 UTC

GLSA 200908-01, thanks everyone.