Bug#607427: marked as done (libopensc: CVE-2010-4523: buffer overflow from rogue cards)

[Debian Bug Tracking System]

Your message dated Wed, 22 Dec 2010 15:02:12 +0000
with message-id <e1pvqci-0002ty...@franck.debian.org>
and subject line Bug#607427: fixed in opensc 0.11.13-1.1
has caused the Debian Bug report #607427,
regarding libopensc: CVE-2010-4523: buffer overflow from rogue cards
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
607427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libopensc2
Version: 0.11.4-5+lenny1
Tags: security
Severity: critical

Hi,

a buffer overflow vulnerability was detected in libopensc.

For details please see this press article (German: [1], English: [2])
and the detailed report[3] including a proof-of-concept by MWR
InfoSecurity[4].

The OpenSC developers have released a patch which should fix this
vulnerability[5].

If Debian isn't affected by this vulnerability or if it has already been
fixed, please don't hesitate to downgrade or close this bug.

Best regards

Alexander Kurtz

[1] 
http://www.heise.de/security/meldung/Wenn-die-Smartcard-den-Rechner-rootet-1154599.html
[2] 
http://www.h-online.com/open/news/item/When-a-smart-card-can-root-your-computer-1154829.html
[3] 
http://labs.mwrinfosecurity.com/files/Advisories/mwri_opensc-get-serial-buffer-overflow_2010-12-13.pdf
[4] http://www.mwrinfosecurity.com/index.php
[5] https://www.opensc-project.org/opensc/changeset/4913

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: opensc
Source-Version: 0.11.13-1.1

We believe that the bug you reported is fixed in the latest version of
opensc, which is due to be installed in the Debian FTP archive:

libopensc2-dbg_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2-dbg_0.11.13-1.1_amd64.deb
libopensc2-dev_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2-dev_0.11.13-1.1_amd64.deb
libopensc2_0.11.13-1.1_amd64.deb
  to main/o/opensc/libopensc2_0.11.13-1.1_amd64.deb
mozilla-opensc_0.11.13-1.1_amd64.deb
  to main/o/opensc/mozilla-opensc_0.11.13-1.1_amd64.deb
opensc_0.11.13-1.1.debian.tar.bz2
  to main/o/opensc/opensc_0.11.13-1.1.debian.tar.bz2
opensc_0.11.13-1.1.dsc
  to main/o/opensc/opensc_0.11.13-1.1.dsc
opensc_0.11.13-1.1_amd64.deb
  to main/o/opensc/opensc_0.11.13-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonathan Wiltshire <j...@debian.org> (supplier of updated opensc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Dec 2010 14:20:22 +0000
Source: opensc
Binary: opensc libopensc2-dev libopensc2 libopensc2-dbg mozilla-opensc
Architecture: source amd64
Version: 0.11.13-1.1
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <e...@debian.org>
Changed-By: Jonathan Wiltshire <j...@debian.org>
Description: 
 libopensc2 - Smart card library with support for PKCS#15 compatible smart card
 libopensc2-dbg - Debugging symbols for libopensc2
 libopensc2-dev - OpenSC development files
 mozilla-opensc - Mozilla plugin for authentication using OpenSC
 opensc     - Smart card utilities with support for PKCS#15 compatible cards
Closes: 607427
Changes: 
 opensc (0.11.13-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2010-4523: Protect against buffer overflow from rogue cards
     (closes: #607427)
Checksums-Sha1: 
 98b9be9d1dd9da7cee566f38f110114d9d39bd08 1995 opensc_0.11.13-1.1.dsc
 67b12fc2c2d962c70dc9d98277981b0b57bb4f2f 10383 
opensc_0.11.13-1.1.debian.tar.bz2
 0fe697179c4b587430dc0d97c6912f5b32e4f26e 339498 opensc_0.11.13-1.1_amd64.deb
 ea47e3d73b5040ac743d8747eecf87bb7c6c1b7d 861132 
libopensc2-dev_0.11.13-1.1_amd64.deb
 e317759ea441a247da7c18727ec751e356d5aa61 702590 
libopensc2_0.11.13-1.1_amd64.deb
 804febc2a1ae20e6699a9f3dcffb5476492004b2 1393148 
libopensc2-dbg_0.11.13-1.1_amd64.deb
 e20e8821805483e04e4de227fcb868ded9c20a19 191686 
mozilla-opensc_0.11.13-1.1_amd64.deb
Checksums-Sha256: 
 396843a723b9c5989dab644f1675e3362471b9d48089b34e5399b776dc1ff390 1995 
opensc_0.11.13-1.1.dsc
 84c0b02d981d7384cbab9fae57b92a14feeaf7befe89efe2581c1bc7bf466157 10383 
opensc_0.11.13-1.1.debian.tar.bz2
 03181ca349896de431439fafcc4d9708ceeebddbb6993c3166bec3326cd25fdf 339498 
opensc_0.11.13-1.1_amd64.deb
 d445ab45b6645f9c1b6cef171cbd1c0683d36f8efba36e8a30072c2c8b3c615d 861132 
libopensc2-dev_0.11.13-1.1_amd64.deb
 296b612b388d9079b9e0919d977fc117b62556ea0fe96cda25ef3550b8203171 702590 
libopensc2_0.11.13-1.1_amd64.deb
 53f425d44366a183f5aa8d7fce00ec03387934616d108529230f1d1da44e93ef 1393148 
libopensc2-dbg_0.11.13-1.1_amd64.deb
 9e5d312d2b553b01437d7297086a563c3f3196957a1c02ef0494659da37d9bfc 191686 
mozilla-opensc_0.11.13-1.1_amd64.deb
Files: 
 9bd07d38a0ad43343cda22986c6f2594 1995 utils extra opensc_0.11.13-1.1.dsc
 fe093bdea970f4171fe1cff6d1a52656 10383 utils extra 
opensc_0.11.13-1.1.debian.tar.bz2
 07624a417507b5412b1100ab829efa9c 339498 utils extra 
opensc_0.11.13-1.1_amd64.deb
 d791fbe053a5498c05807c219c26191d 861132 libdevel optional 
libopensc2-dev_0.11.13-1.1_amd64.deb
 e255900a05e80c9a251378c98bcceea9 702590 libs optional 
libopensc2_0.11.13-1.1_amd64.deb
 3237388638ec1ed308d95681e3db90f1 1393148 debug extra 
libopensc2-dbg_0.11.13-1.1_amd64.deb
 408ee99729e2ca267fed3864413c2c97 191686 web extra 
mozilla-opensc_0.11.13-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNEg64AAoJEFOUR53TUkxR7KAQAIpHv8dbGEwt8OcnSFtWoW6a
IQKli05qud+e2+ivAqy4IXSbOS4qwuyWOF1GdgaRGiQXkf8S9+M8x/stpJgqyMo+
a7Oynl+llO445z8TYRzhEXGSvxnEYIbtOyPQITOrmMjpzwhMp7JpF4LfoNOhhsTc
MrZB9G1VatImt7XbFucz1SrMR/hrrLRC56bo3lgXvs5fkXKgdBhxJf86RqVIogTM
/rzTtndNtGPwzAiaMXutAKCwAua5+QG+ZHjSfAe30llCDxiyTbwt+JPpcqsu7zPT
GmjTJpVmhyiKC0c9XH5g0MQfwGXe5S3+EB+oQyFUVb5iibX6uisvgNpHTJgsWXz8
Sjc4dNbOIuDAUp3qDNFtZ7ReVZYuuXf1ySQGc0FK9wEbLYJu37ugaOW7vYMClcHH
rbhKGsVGPTTb+iaiNbwKR+VH/CLj9IbRRRTsNN3Nfk1eN/awzAWKpNCcDzOTISIq
csGEzYWLfK3pyBxISiKrZNXqq14fPMtIJCaeeS+kTBd8gNhQQxy853ozIIg0iVA4
QxIVqwSy4lCZWBAbyCULCUzo+v7VHUhJCrv9jgm5tBew7fq4m6bgLtt/qGTNj4PV
k0fz+o4V5BOlp6S5FOwwz4c0PZsYcBfhxAtm4+IFaluAqIGA0e6KqOsyRhlfxrYn
2PWmAX6UNa3P/B5/otcW
=Z/9a
-----END PGP SIGNATURE-----

--- End Message ---