Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 Dec 2023 15:11:35 +0100
From: Jakub Jelen <jjelen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-40661: Dynamic analyzers reports in pkcs15-init in OpenSC
 before 0.24.0

This advisory summarizes automatically reported issues that are
security relevant that were reported since the release of OpenSC
0.23.0 and that are relevant to the handling the card enrollment
process using pkcs15-init.

All of these require physical access to the computer at the time user
or administrator would be enrolling the cards (generating keys and
loading certificates, other card/token management) operations. The
attack requires crafted USB device or smart card that would present
the system with specially crafted responses to the APDUs so they are
considered a high-complexity and low-severity. This issue is not
exploitable just by using a PKCS#11 module as done in most of the
end-user deployments.

Security-related oss-fuzz issues

Stack buffer overflow in sc_pkcs15_get_lastupdate in pkcs15init
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60769
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60527
fixed with 245efe608d083fd4e4ec96793fdefd218e26fde7

Heap buffer overflow in setcos_create_key in pkcs15init
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60672
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64181
fixed with
440ca666eff10cc7011901252d20f3fc4ea23651
4013a807492568bf9907cfb3df41f130ac83c7b9

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650 Heap
buffer overflow in cosm_new_file in pkcs15init
fixed with 41d61da8481582e12710b5858f8b635e0a71ab5e

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60616 Heap
double free in sc_pkcs15_free_object_content
fixed with 638a5007a5d240d6fa901aa822cfeef94fe36e85

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58932 Stack
buffer overflow in cflex_delete_file in pkcs15init
fixed with c449a181a6988cc1e8dc8764d23574e48cdc3fa6

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56213 Heap
buffer overflow in sc_hsm_write_ef in pkcs15init
not in any released version, fixed with dd138d0600a1acd7991989127f36827e5836b24e

Stack buffer overflow while parsing pkcs15 profile files
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55998
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55851
fixed with 5631e9843c832a99769def85b7b9b68b4e3e3959

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54312 Stack
buffer overflow in muscle driver in pkcs15init
fixed with df5a176bfdf8c52ba89c7fef1f82f6f3b9312bc1

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53927 Stack
buffer overflow in cardos driver in pkcs15init
fixed with 578aed8391ef117ca64a9e0cba8e5c264368a0ec

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64215 Heap
buffer overflow in epass2003 driver in pkcs15init
fixed with 609164045facaeae193feb48d9c2fc5cc4321e8a

Heap buffer overflow in iasecc driver in pkcs15init
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63949
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63587
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63163
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61797
fixed with
8fc2c20c3f895569eeb58328bb882aec07325d3b
fbda61d0d276dc98b9d1d1e6810bbd21d19e3859
83b9129bd3cfc6ac57d5554e015c3df85f5076dc
2a4921ab23fd0853f327517636c50de947548161

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63104 Stack
buffer overflow in entersafe driver in pkcs15init
fixed with 50f0985f6343eeac4044661d56807ee9286db42c

Heap buffer overflow in oberthur driver in pkcs15init
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60650
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62613
fixed with 41d61da8481582e12710b5858f8b635e0a71ab5e

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61750 Stack
buffer overflow in idprime driver in pkcs15init
fixed with fa8ad362852dbefad5b6796c32f2a33859b8a8e0

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60971 Heap
buffer overflow in test_verify
fixed with ffbff25ec6c6d0ad3f8df76f57210698f7947fc3

Originally reported by OSS-fuzz automated service



The full release notes for the 0.24.0 is available in announce list:

https://sourceforge.net/p/opensc/mailman/message/58712583/

and on github:

https://github.com/OpenSC/OpenSC/releases/tag/0.24.0

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.