Source: opensc Version: 0.23.0-0.2 Severity: important Tags: security upstream Forwarded: https://github.com/OpenSC/OpenSC/issues/2785 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for opensc. CVE-2023-2977[0]: | A vulnerbility was found in OpenSC. This security flaw cause a buffer | overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The | attacker can supply a smart card package with malformed ASN1 context. | The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 | tags, where remaining length is wrongly caculated due to moved | starting pointer. This leads to possible heap-based buffer oob read. | In cases where ASAN is enabled while compiling this causes a crash. | Further info leak or more damage is possible. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2977 https://www.cve.org/CVERecord?id=CVE-2023-2977 [1] https://github.com/OpenSC/OpenSC/issues/2785 [2] https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
