Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746821 (CVE-2020-26570, CVE-2020-26571, CVE-2020-26572) - <dev-libs/opensc-0.21.0: Multiple vulnerabilities (CVE-2020-{26570,26571,26572})
Summary: <dev-libs/opensc-0.21.0: Multiple vulnerabilities (CVE-2020-{26570,26571,26572})
Status: RESOLVED FIXED
Alias: CVE-2020-26570, CVE-2020-26571, CVE-2020-26572
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-06 03:04 UTC by Sam James
Modified: 2021-03-19 18:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-06 03:04:58 UTC
* CVE-2020-26570

The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init.

Report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316
Patch: https://github.com/OpenSC/OpenSC/commit/6903aebfddc466d966c7b865fae34572bf3ed23e

* CVE-2020-26571

The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init.

Patch: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612

* CVE_2020-26572

The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967
Patch: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 18:55:26 UTC
Should be fixed in the upcoming 0.21.0: https://github.com/OpenSC/OpenSC/commit/c4a75eb1c20130fee03f29c8ffb802003abd8883.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-24 18:11:05 UTC
0.21.0 is released with the fixes.
Comment 3 Henning Schild 2020-12-04 09:30:57 UTC
0.21.0 is out
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-14 03:38:22 UTC
Bumped in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=654dd726c0606a4b6ff37628cd6f7dcde3255290. Let us know when ready to stable.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 00:55:42 UTC
Ready?
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 00:03:10 UTC
amd64 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 00:04:14 UTC
ppc done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 00:04:48 UTC
ppc64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 00:05:17 UTC
arm done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 00:33:27 UTC
x86 done

all arches done
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-20 01:54:19 UTC
Please cleanup.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-03-19 18:24:34 UTC
some forgotten bug.