Date: Wed, 22 Dec 2010 13:55:08 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Robert Relyea <rrelyea@...hat.com> Subject: CVE Request -- 1, ccid -- int.overflow leading to array index error 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: CVE request: opensc buffer overflow ] Hello Josh, Steve, vendors, Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws related with smart cards: I), CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards Description: An integer overflow, leading to array index error was found in the way USB CCID (Chip/Smart Card Interface Devices) driver processed certain values of card serial number. A local attacker could use this flaw to execute arbitrary code, with the privileges of the user running the pcscd daemon, via a malicious smart card with specially-crafted value of its serial number, inserted to the system USB port. References:  http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780  https://bugzilla.redhat.com/show_bug.cgi?id=664986 Upstream changesets:  http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html  http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR) decoder Description: A stack-based buffer overflow flaw was found in the way PC/SC Lite smart card framework decoded certain attribute values of the Answer-to-Reset (ATR) message, received back from the card after connecting. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the pcscd daemon, via a malicious smart card inserted to the system USB port. References:  http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781  http://www.vupen.com/english/advisories/2010/3264  https://bugzilla.redhat.com/show_bug.cgi?id=664999 Upstream changeset:  http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html Could you allocate CVE ids for these two too? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ