Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Dec 2010 13:55:08 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Robert Relyea <rrelyea@...hat.com>
Subject: CVE Request -- 1, ccid -- int.overflow leading to array index error
 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: 
 CVE request: opensc buffer overflow ]

Hello Josh, Steve, vendors,

   Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws related with smart cards:

   I), CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards

   Description:
   An integer overflow, leading to array index error was found
   in the way USB CCID (Chip/Smart Card Interface Devices) driver
   processed certain values of card serial number. A local attacker
   could use this flaw to execute arbitrary code, with the privileges
   of the user running the pcscd daemon, via a malicious smart card
   with specially-crafted value of its serial number, inserted to
   the system USB port.

   References:
   [1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780
   [3] https://bugzilla.redhat.com/show_bug.cgi?id=664986

   Upstream changesets:
   [4] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
   [5] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html

   II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR) decoder

   Description:
   A stack-based buffer overflow flaw was found in the way
   PC/SC Lite smart card framework decoded certain attribute
   values of the Answer-to-Reset (ATR) message, received back
   from the card after connecting. A local attacker could
   use this flaw to execute arbitrary code with the privileges
   of the user running the pcscd daemon, via a malicious smart
   card inserted to the system USB port.

   References:
   [1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781
   [3] http://www.vupen.com/english/advisories/2010/3264
   [4] https://bugzilla.redhat.com/show_bug.cgi?id=664999

   Upstream changeset:
   [5] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html

Could you allocate CVE ids for these two too?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.