Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1350430544.125849.1294080440354.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Mon, 3 Jan 2011 13:47:20 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Robert Relyea <rrelyea@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- 1, ccid -- int.overflow leading
 to array index error 2, pcsc-lite stack-based buffer overflow in ATR
 decoder [was: CVE request: opensc buffer overflow ]



----- Original Message -----
> Hello Josh, Steve, vendors,
> 
> Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws
> related with smart cards:
> 
> I), CCID: Integer overflow, leading to array index error when
> processing crafted serial number of certain cards
> 
> Description:
> An integer overflow, leading to array index error was found
> in the way USB CCID (Chip/Smart Card Interface Devices) driver
> processed certain values of card serial number. A local attacker
> could use this flaw to execute arbitrary code, with the privileges
> of the user running the pcscd daemon, via a malicious smart card
> with specially-crafted value of its serial number, inserted to
> the system USB port.
> 
> References:
> [1]
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=664986
> 
> Upstream changesets:
> [4]
> http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
> [5]
> http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html

Please use CVE-2010-4530 for the above issue.


> 
> II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR)
> decoder
> 
> Description:
> A stack-based buffer overflow flaw was found in the way
> PC/SC Lite smart card framework decoded certain attribute
> values of the Answer-to-Reset (ATR) message, received back
> from the card after connecting. A local attacker could
> use this flaw to execute arbitrary code with the privileges
> of the user running the pcscd daemon, via a malicious smart
> card inserted to the system USB port.
> 
> References:
> [1]
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781
> [3] http://www.vupen.com/english/advisories/2010/3264
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=664999
> 
> Upstream changeset:
> [5]
> http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html
> 

Please use CVE-2010-4531 for the above issue.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.