CVE-2021-42778 (https://bugzilla.redhat.com/show_bug.cgi?id=2016083): https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185 https://github.com/OpenSC/OpenSC/commit/f015746d A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo. CVE-2021-42779 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843): https://bugzilla.redhat.com/show_bug.cgi?id=2016086 https://github.com/OpenSC/OpenSC/commit/1db88374 A heap use after free issue was found in Opensc before version 0.22.0 in sc_file_valid. CVE-2021-42780 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383): https://github.com/OpenSC/OpenSC/commit/5df913b7 https://bugzilla.redhat.com/show_bug.cgi?id=2016139 A use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library. CVE-2021-42781 (https://bugzilla.redhat.com/show_bug.cgi?id=2016439): https://github.com/OpenSC/OpenSC/commit/17d8980c https://github.com/OpenSC/OpenSC/commit/5d4daf6c https://github.com/OpenSC/OpenSC/commit/40c50a3a https://github.com/OpenSC/OpenSC/commit/05648b06 https://github.com/OpenSC/OpenSC/commit/cae5c71f Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library. CVE-2021-42782 (https://github.com/OpenSC/OpenSC/commit/1252aca9): https://github.com/OpenSC/OpenSC/commit/7114fb71 https://github.com/OpenSC/OpenSC/commit/78cdab94 https://github.com/OpenSC/OpenSC/commit/ae1cf0be https://github.com/OpenSC/OpenSC/commit/456ac566 https://bugzilla.redhat.com/show_bug.cgi?id=2016448 Stack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library. Please stabilize 0.22.0.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7acf42a3800be2ca909864dd7b7f86b9b3b1d4ff commit 7acf42a3800be2ca909864dd7b7f86b9b3b1d4ff Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-07 02:52:29 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-07 02:58:06 +0000 [ GLSA 202209-03 ] OpenSC: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/839357 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-03.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
GLSA released, all done!