Date: Mon, 3 Jan 2011 13:47:20 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: Robert Relyea <rrelyea@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE Request -- 1, ccid -- int.overflow leading to array index error 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: CVE request: opensc buffer overflow ] ----- Original Message ----- > Hello Josh, Steve, vendors, > > Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws > related with smart cards: > > I), CCID: Integer overflow, leading to array index error when > processing crafted serial number of certain cards > > Description: > An integer overflow, leading to array index error was found > in the way USB CCID (Chip/Smart Card Interface Devices) driver > processed certain values of card serial number. A local attacker > could use this flaw to execute arbitrary code, with the privileges > of the user running the pcscd daemon, via a malicious smart card > with specially-crafted value of its serial number, inserted to > the system USB port. > > References: >  > http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780 >  https://bugzilla.redhat.com/show_bug.cgi?id=664986 > > Upstream changesets: >  > http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html >  > http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html Please use CVE-2010-4530 for the above issue. > > II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR) > decoder > > Description: > A stack-based buffer overflow flaw was found in the way > PC/SC Lite smart card framework decoded certain attribute > values of the Answer-to-Reset (ATR) message, received back > from the card after connecting. A local attacker could > use this flaw to execute arbitrary code with the privileges > of the user running the pcscd daemon, via a malicious smart > card inserted to the system USB port. > > References: >  > http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781 >  http://www.vupen.com/english/advisories/2010/3264 >  https://bugzilla.redhat.com/show_bug.cgi?id=664999 > > Upstream changeset: >  > http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html > Please use CVE-2010-4531 for the above issue. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ