Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-42782: cardos: Correctly calculate the left bytes to avoid buffer overrun · OpenSC/OpenSC@1252aca

Stack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.

CVE
#buffer_overflow

@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)

sc_apdu_t apdu;

u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];

int r;

const u8 *p = rbuf, *q;

const u8 *p = rbuf, *q, *pp;

size_t len, tlen = 0, ilen = 0;

sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);

@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)

return 0;

while (len != 0) {

p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);

if (p == NULL)

pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);

if (pp == NULL)

return 0;

q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);

q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);

if (q == NULL || ilen != 4)

return 0;

if (q[0] == 0x1c)

Related news

CVE-2023-2977: Possible buffer overrun vulnerability in pkcs15 `cardos_have_verifyrc_package` · Issue #2785 · OpenSC/OpenSC

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

Gentoo Linux Security Advisory 202209-03

Gentoo Linux Security Advisory 202209-3 - Multiple vulnerabilities have been discovered in OpenSC, the worst of which could result in the execution of arbitrary code. Versions less than 0.22.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907