oss-sec mailing list archives

Re: CVE Request -- 1, ccid -- int.overflow leading to array index error 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: [oss-security] CVE request: opensc buffer overflow ]

From: Josh Bressers <bressers () redhat com>
Date: Mon, 3 Jan 2011 13:47:20 -0500 (EST)



----- Original Message -----

Hello Josh, Steve, vendors,

Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws
related with smart cards:

I), CCID: Integer overflow, leading to array index error when
processing crafted serial number of certain cards

Description:
An integer overflow, leading to array index error was found
in the way USB CCID (Chip/Smart Card Interface Devices) driver
processed certain values of card serial number. A local attacker
could use this flaw to execute arbitrary code, with the privileges
of the user running the pcscd daemon, via a malicious smart card
with specially-crafted value of its serial number, inserted to
the system USB port.

References:
[1]
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780
[3] https://bugzilla.redhat.com/show_bug.cgi?id=664986

Upstream changesets:
[4]
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
[5]
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html


Please use CVE-2010-4530 for the above issue.


II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR)
decoder

Description:
A stack-based buffer overflow flaw was found in the way
PC/SC Lite smart card framework decoded certain attribute
values of the Answer-to-Reset (ATR) message, received back
from the card after connecting. A local attacker could
use this flaw to execute arbitrary code with the privileges
of the user running the pcscd daemon, via a malicious smart
card inserted to the system USB port.

References:
[1]
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781
[3] http://www.vupen.com/english/advisories/2010/3264
[4] https://bugzilla.redhat.com/show_bug.cgi?id=664999

Upstream changeset:
[5]
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html


Please use CVE-2010-4531 for the above issue.

Thanks.

-- 
    JB

Current thread:

Re: CVE Request -- 1, ccid -- int.overflow leading to array index error 2, pcsc-lite stack-based buffer overflow in ATR decoder [was: [oss-security] CVE request: opensc buffer overflow ] Josh Bressers (Jan 03)