Buffer overflow

Bug #692483 reported by Torsten Spindler on 2010-12-20
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
opensc (Debian)
Fix Released
Unknown
opensc (Ubuntu)
Low
Unassigned
Hardy
Low
Unassigned
Karmic
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned

Bug Description

Binary package hint: opensc

A potential security problem exists at least in Ubuntu 10.04 LTS and was fixed upstream in https://www.opensc-project.org/opensc/changeset/4913 .

Testing: the package was tested on Lucid, no regression was obvious.

Torsten Spindler (tspindler) wrote :

The problem seems to be also in the git repo from upstream Debian, git://git.debian.org/git/pkg-opensc/opensc.git . The attached patches are taken from opensc upstream (https://www.opensc-project.org/opensc/changeset/4912 and https://www.opensc-project.org/opensc/changeset/4913).

Torsten Spindler (tspindler) wrote :
Torsten Spindler (tspindler) wrote :

I've built a patched package for testing in https://launchpad.net/~tspindler/+archive/opensc-lvm

A first test of the patched package on a smartcard enabled system was successful.

description: updated
Torsten Spindler (tspindler) wrote :
tags: added: patch
Kees Cook (kees) wrote :

FWIW, I think the compiler flags[1] will reduce this vulnerability from being exploitable to only being a denial of service, but additional study would be needed.

[1] https://wiki.ubuntu.com/CompilerFlags

Torsten Spindler (tspindler) wrote :
Torsten Spindler (tspindler) wrote :
security vulnerability: no → yes
Changed in opensc (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Low
Changed in opensc (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Low
Changed in opensc (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.11.13-1ubuntu4

---------------
opensc (0.11.13-1ubuntu4) natty; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Tue, 21 Dec 2010 09:50:33 +0100

Changed in opensc (Ubuntu Natty):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

ACK

Changed in opensc (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in opensc (Ubuntu Maverick):
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Thanks for your patches! These look great and I have uploaded them to the security PPA. When they finish building, I will push them to the archive.

Minor nit: with DEP-3 quilt patches you don't need the DEP-3 comments commented out with '##'. Eg, the following is preferred:
Description: Fix buffer overflow
Origin: upstream, https://www.opensc-project.org/opensc/changeset/4913
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483

Torsten Spindler (tspindler) wrote :
Torsten Spindler (tspindler) wrote :
Jamie Strandboge (jdstrand) wrote :

Torsten, thanks for the patches for the older releases. The karmic debdiff only has template text for the DEP-3 comments, and the hardy debdiff should have the DEP-3 info in the debian/changelog since there isn't a patch system.

Jamie Strandboge (jdstrand) wrote :

Also, the hardy debdiff has 'jaunty' instead of 'hardy-security' and uses the wrong version for hardy. It should be 0.11.4-2ubuntu2.1. I'll fix these up in the interest of time.

Changed in opensc (Ubuntu Hardy):
status: New → Confirmed
importance: Undecided → Low
Changed in opensc (Ubuntu Karmic):
status: New → Confirmed
importance: Undecided → Low
Jamie Strandboge (jdstrand) wrote :

Karmic also had the wrong version. In the future, please review https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging to make sure the debdiff is correct. Thanks again. :)

Artur Rona (ari-tczew) wrote :

We can use even short URLs in DEP3:
instead https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/692483
I really preffer https://launchpad.net/bugs/692483

Regards and thanks for patch.
MOTU SWAT

Jamie Strandboge (jdstrand) wrote :

Karmic also had the wrong version. In the future, please review https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging to make sure the debdiff is correct. Thanks again. :)

Changed in opensc (Ubuntu Hardy):
status: Confirmed → Fix Committed
Changed in opensc (Ubuntu Karmic):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.11.13-1ubuntu2.1

---------------
opensc (0.11.13-1ubuntu2.1) maverick-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Mon, 20 Dec 2010 13:51:01 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.11.12-1ubuntu3.2

---------------
opensc (0.11.12-1ubuntu3.2) lucid-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Mon, 20 Dec 2010 11:00:40 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.11.8-1ubuntu2.1

---------------
opensc (0.11.8-1ubuntu2.1) karmic-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - debian/patches/min-max.patch: Add MIN and MAX macros for last patch
    - debian/patches/buffer-overflow.patch: Fix potential buffer overflow
      by rogue cards. (LP: #692483)
 -- Torsten Spindler (Canonical) <email address hidden> Tue, 21 Dec 2010 16:12:30 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.11.4-2ubuntu2.1

---------------
opensc (0.11.4-2ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: specially crafted cards may be able to execute code.
    - Move MIN and MAX macros from muscle.c to internal.h
    - https://www.opensc-project.org/opensc/changeset/4912
    - Fix potential buffer overflow by rogue cards. (LP: #692483)
    - update card-acos5.c, card-atrust-acos.c and card-starcos.c to use
      MIN macros to protect against buffer overflow
    - https://www.opensc-project.org/opensc/changeset/4913
 -- Torsten Spindler (Canonical) <email address hidden> Tue, 21 Dec 2010 16:34:32 +0100

Changed in opensc (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in opensc (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in opensc (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in opensc (Ubuntu Maverick):
status: Fix Committed → Fix Released

For the record, this is CVE-2010-4523 and it's being tracked in Debian bug #607427 (#607732 was a duplicate)

Thanks Jonathan! I caught the update today but missed the original bug.
Sorry about that.

Changed in opensc (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.