Date: Wed, 22 Dec 2010 13:55:08 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org> CC: oss-security <oss-security@...ts.openwall.com>, Robert Relyea <rrelyea@...hat.com> Subject: CVE Request -- 1, ccid -- int.overflow leading to array index error 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: CVE request: opensc buffer overflow ] Hello Josh, Steve, vendors, Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws related with smart cards: I), CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards Description: An integer overflow, leading to array index error was found in the way USB CCID (Chip/Smart Card Interface Devices) driver processed certain values of card serial number. A local attacker could use this flaw to execute arbitrary code, with the privileges of the user running the pcscd daemon, via a malicious smart card with specially-crafted value of its serial number, inserted to the system USB port. References:  http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780  https://bugzilla.redhat.com/show_bug.cgi?id=664986 Upstream changesets:  http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html  http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR) decoder Description: A stack-based buffer overflow flaw was found in the way PC/SC Lite smart card framework decoded certain attribute values of the Answer-to-Reset (ATR) message, received back from the card after connecting. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the pcscd daemon, via a malicious smart card inserted to the system USB port. References:  http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781  http://www.vupen.com/english/advisories/2010/3264  https://bugzilla.redhat.com/show_bug.cgi?id=664999 Upstream changeset:  http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html Could you allocate CVE ids for these two too? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.