Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 839357 (CVE-2021-42778, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781, CVE-2021-42782) - <dev-libs/opensc-0.22.0: multiple vulnerabilities
Summary: <dev-libs/opensc-0.22.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-42778, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781, CVE-2021-42782
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords:
Depends on: 843101
Blocks:
  Show dependency tree
 
Reported: 2022-04-19 02:06 UTC by John Helmert III
Modified: 2022-09-07 03:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-19 02:06:17 UTC 
CVE-2021-42778 (https://bugzilla.redhat.com/show_bug.cgi?id=2016083):
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185
https://github.com/OpenSC/OpenSC/commit/f015746d

A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.

CVE-2021-42779 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843):
https://bugzilla.redhat.com/show_bug.cgi?id=2016086
https://github.com/OpenSC/OpenSC/commit/1db88374

A heap use after free issue was found in Opensc before version 0.22.0 in sc_file_valid.

CVE-2021-42780 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383):
https://github.com/OpenSC/OpenSC/commit/5df913b7
https://bugzilla.redhat.com/show_bug.cgi?id=2016139

A use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.

CVE-2021-42781 (https://bugzilla.redhat.com/show_bug.cgi?id=2016439):
https://github.com/OpenSC/OpenSC/commit/17d8980c
https://github.com/OpenSC/OpenSC/commit/5d4daf6c
https://github.com/OpenSC/OpenSC/commit/40c50a3a
https://github.com/OpenSC/OpenSC/commit/05648b06
https://github.com/OpenSC/OpenSC/commit/cae5c71f

Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.

CVE-2021-42782 (https://github.com/OpenSC/OpenSC/commit/1252aca9):
https://github.com/OpenSC/OpenSC/commit/7114fb71
https://github.com/OpenSC/OpenSC/commit/78cdab94
https://github.com/OpenSC/OpenSC/commit/ae1cf0be
https://github.com/OpenSC/OpenSC/commit/456ac566
https://bugzilla.redhat.com/show_bug.cgi?id=2016448

Stack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.


Please stabilize 0.22.0.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-06 15:10:17 UTC 
GLSA request filed
Comment 2 Larry the Git Cow gentoo-dev 2022-09-07 03:01:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=7acf42a3800be2ca909864dd7b7f86b9b3b1d4ff

commit 7acf42a3800be2ca909864dd7b7f86b9b3b1d4ff
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-07 02:52:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-07 02:58:06 +0000

    [ GLSA 202209-03 ] OpenSC: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/839357
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-03.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-07 03:19:22 UTC 
GLSA released, all done!