Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260514 (CVE-2009-0368) - <dev-libs/opensc-0.11.7 Improper access restrictions (CVE-2009-0368)
Summary: <dev-libs/opensc-0.11.7 Improper access restrictions (CVE-2009-0368)
Alias: CVE-2009-0368
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2009-02-27 13:56 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-01 12:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-27 13:56:14 UTC
OpenSC Security Advisory [26-Feb-2009] CVE-2009-0368

OpenSC stores private data without proper access restrictions.

User "b.badrignans" reported this security problem on December 4th, 2008.
In June 2007 support form private data objects was added to OpenSC. Only later
a severe security bug was found out: while the OpenSC PKCS#11 implementation
requires PIN verification to access the data, low level APDU commands or 
debugging tools like opensc-explorer or opensc-tool can access the private 
data without any authentication. This was fixed in OpenSC 0.11.7.

RSA keys are not affected by this security problem. National eID cards and 
other cards initialised by other software are not affected by this problem. 
Only blank cards initialised with OpenSC are affected by this problem. It is 
not known if the problem is limited to some drivers, but we believe all 
drivers are affected. We could only test very few cards, but all of them had 
the problem, and the fix worked on all of them. All other cards are completely 
untested for either.

This fix only improves creating new private data objects. Cards already 
initialised with such private data objects need to be modified to repair the 
access control conditions on such cards. One way to do that is to erase the 
card and re-initialise it, but doing this you would loose all content on the 
card, including RSA private keys. An alternative is to download the private 
data object(s) to your PC, delete them on the card, and store them once more 
on the card with the new, fixed version of OpenSC. This procedure has been
tested with success on some cards, but no guaranty of any kind can be given.

Comment 1 Daniel Black (RETIRED) gentoo-dev 2009-02-27 22:02:12 UTC
opensc-0.11.7.ebuild target "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
if you don't have smartcards I don't either. there have been numerous reports of this package working and I reasonably trust the upstream devs.
Comment 2 Ferris McCormick (RETIRED) gentoo-dev 2009-03-01 03:03:03 UTC
Sparc stable.
Comment 3 Brent Baude (RETIRED) gentoo-dev 2009-03-02 16:02:43 UTC
ppc64 done
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 13:07:38 UTC
CVE-2009-0368 (
  OpenSC before 0.11.7 allows physically proximate attackers to bypass
  intended PIN requirements and read private data objects via a (1) low
  level APDU command or (2) debugging tool, as demonstrated by reading
  the 4601 or 4701 file with the opensc-explorer or opensc-tool program.

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-04 19:58:29 UTC
ppc stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-03-06 17:25:17 UTC
alpha/arm/ia64/s390/sh/x86 stable
Comment 7 Markus Meier gentoo-dev 2009-03-07 14:34:11 UTC
amd64 stable
Comment 8 Guy Martin (RETIRED) gentoo-dev 2009-03-10 07:11:04 UTC
hppa stable
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-03-17 00:42:20 UTC
glsa vote: YES
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-23 17:02:10 UTC
Yes, too. Request filed.
Comment 11 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-07-29 13:53:43 UTC
dev-libs/opensc-0.11.8 has been stabilized on m68k due to bug #269920.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-01 12:38:05 UTC
GLSA 200908-01, thanks everyone.