Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 22 Dec 2010 13:55:08 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Robert Relyea <rrelyea@...hat.com>
Subject: CVE Request -- 1, ccid -- int.overflow leading to array index error
 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: 
 CVE request: opensc buffer overflow ]

Hello Josh, Steve, vendors,

   Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws related with smart cards:

   I), CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards

   Description:
   An integer overflow, leading to array index error was found
   in the way USB CCID (Chip/Smart Card Interface Devices) driver
   processed certain values of card serial number. A local attacker
   could use this flaw to execute arbitrary code, with the privileges
   of the user running the pcscd daemon, via a malicious smart card
   with specially-crafted value of its serial number, inserted to
   the system USB port.

   References:
   [1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780
   [3] https://bugzilla.redhat.com/show_bug.cgi?id=664986

   Upstream changesets:
   [4] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
   [5] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html

   II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR) decoder

   Description:
   A stack-based buffer overflow flaw was found in the way
   PC/SC Lite smart card framework decoded certain attribute
   values of the Answer-to-Reset (ATR) message, received back
   from the card after connecting. A local attacker could
   use this flaw to execute arbitrary code with the privileges
   of the user running the pcscd daemon, via a malicious smart
   card inserted to the system USB port.

   References:
   [1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781
   [3] http://www.vupen.com/english/advisories/2010/3264
   [4] https://bugzilla.redhat.com/show_bug.cgi?id=664999

   Upstream changeset:
   [5] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html

Could you allocate CVE ids for these two too?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ