Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2008:183 ] opensc
From: security () mandriva com
Date: Tue, 02 Sep 2008 15:14:00 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:183
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : opensc
 Date    : September 2, 2008
 Affected: 2007.1, 2008.0, 2008.1, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Chaskiel M Grundman found that OpenSC would initialize smart cards
 with the Siemens CardOS M4 card operating system without proper access
 rights.  This allowed everyone to change the card's PIN without first
 having the PIN or PUK, or the superuser's PIN or PUK (CVE-2008-2235).
 
 Please note that this issue can not be used to discover the PIN on
 a card.  If the PIN on a card is the same that was always there,
 it is unlikely that this vulnerability has been exploited.  As well,
 this issue only affects smart cards and USB crypto tokens based on
 Siemens CardOS M4, and then only those devices that were initialized
 by OpenSC.  Users of other smart cards or USB crypto tokens, or cards
 that were not initialized by OpenSC, are not affected.
 
 After applying the update, executing 'pkcs15-tool -T' will indicate
 whether the card is fine or vulnerable.  If the card is vulnerable, the
 security settings need to be updated by executing 'pkcs15-tool -T -U'.
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2235
 http://www.opensc-project.org/security.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 77f7d7afda2b14397fd49eb9a40fe277  2007.1/i586/libopensc2-0.11.1-3.1mdv2007.1.i586.rpm
 63ac5b681a7c32ff5fa5a19eaacd99c4  2007.1/i586/libopensc2-devel-0.11.1-3.1mdv2007.1.i586.rpm
 70e9d0aa9fd4ee98e44acb640cca7334  2007.1/i586/mozilla-plugin-opensc-0.11.1-3.1mdv2007.1.i586.rpm
 9990fd668eb0db7a2c3a067663935e6c  2007.1/i586/opensc-0.11.1-3.1mdv2007.1.i586.rpm 
 2ef9d3fd31d521b775f36480608f5494  2007.1/SRPMS/opensc-0.11.1-3.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 7ff78a629ff3fc4ebae26081445476b5  2007.1/x86_64/lib64opensc2-0.11.1-3.1mdv2007.1.x86_64.rpm
 d782522d41b4c9c3740d6d3917560a9f  2007.1/x86_64/lib64opensc2-devel-0.11.1-3.1mdv2007.1.x86_64.rpm
 6e7cc1f3c8dd8485a182704d64a59c8b  2007.1/x86_64/mozilla-plugin-opensc-0.11.1-3.1mdv2007.1.x86_64.rpm
 9337e42a69c15124642ed8f9756fd3c2  2007.1/x86_64/opensc-0.11.1-3.1mdv2007.1.x86_64.rpm 
 2ef9d3fd31d521b775f36480608f5494  2007.1/SRPMS/opensc-0.11.1-3.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 4ce42db0e198b6ce9c9287594ee3fafd  2008.0/i586/libopensc2-0.11.3-2.1mdv2008.0.i586.rpm
 70546abd01b00bab812fa6fea4ae4d16  2008.0/i586/libopensc-devel-0.11.3-2.1mdv2008.0.i586.rpm
 eba548b0a0547b26056233f5e8ca6adb  2008.0/i586/mozilla-plugin-opensc-0.11.3-2.1mdv2008.0.i586.rpm
 7220fd9c1e95158f787cc8369826ec32  2008.0/i586/opensc-0.11.3-2.1mdv2008.0.i586.rpm 
 ce97f832256d12037e51bafb9d70e5ef  2008.0/SRPMS/opensc-0.11.3-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 5378764b2b2d3cd848ac0ac542287b94  2008.0/x86_64/lib64opensc2-0.11.3-2.1mdv2008.0.x86_64.rpm
 a6dbaabff7dbd6cabc1202a334c663b2  2008.0/x86_64/lib64opensc-devel-0.11.3-2.1mdv2008.0.x86_64.rpm
 f3b2891c740068fa7f328690f8a53c0a  2008.0/x86_64/mozilla-plugin-opensc-0.11.3-2.1mdv2008.0.x86_64.rpm
 9ad409a7e667a9bc7c448ad207ce2afd  2008.0/x86_64/opensc-0.11.3-2.1mdv2008.0.x86_64.rpm 
 ce97f832256d12037e51bafb9d70e5ef  2008.0/SRPMS/opensc-0.11.3-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 d2f1aecf3d76a0de1eb2314467e8039c  2008.1/i586/libopensc2-0.11.3-2.1mdv2008.1.i586.rpm
 25cbd704341f975c3608b2415f73876a  2008.1/i586/libopensc-devel-0.11.3-2.1mdv2008.1.i586.rpm
 afeb1a983ab5dc9175abe9a3d4d2a043  2008.1/i586/mozilla-plugin-opensc-0.11.3-2.1mdv2008.1.i586.rpm
 2e4f8fbf6baf274e24d0d68713c20bb0  2008.1/i586/opensc-0.11.3-2.1mdv2008.1.i586.rpm 
 53c7c0bc38eb3210137ce329559705cf  2008.1/SRPMS/opensc-0.11.3-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 78655b07b2736207d38d165f695f5e72  2008.1/x86_64/lib64opensc2-0.11.3-2.1mdv2008.1.x86_64.rpm
 55f4a5fe2db33ec43b74353b92b01c6d  2008.1/x86_64/lib64opensc-devel-0.11.3-2.1mdv2008.1.x86_64.rpm
 70d7f144e01d25f79b622484db2ef0bd  2008.1/x86_64/mozilla-plugin-opensc-0.11.3-2.1mdv2008.1.x86_64.rpm
 807e29fd2d0560f65eff7fff274aa5e2  2008.1/x86_64/opensc-0.11.3-2.1mdv2008.1.x86_64.rpm 
 53c7c0bc38eb3210137ce329559705cf  2008.1/SRPMS/opensc-0.11.3-2.1mdv2008.1.src.rpm

 Corporate 4.0:
 f429cd809bb72592a21b37921ef4c3a0  corporate/4.0/i586/libopensc2-0.10.1-2.1.20060mlcs4.i586.rpm
 f91cc391ac3c574701b27d65ff2f14eb  corporate/4.0/i586/libopensc2-devel-0.10.1-2.1.20060mlcs4.i586.rpm
 7eb7c1057b2c47306482d0afc1e6e859  corporate/4.0/i586/mozilla-plugin-opensc-0.10.1-2.1.20060mlcs4.i586.rpm
 4c69219b2f389fe050df05985deecb86  corporate/4.0/i586/opensc-0.10.1-2.1.20060mlcs4.i586.rpm 
 8830d7341d49f9da956a907e21e9a7a0  corporate/4.0/SRPMS/opensc-0.10.1-2.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 d92325b44dbf5deb8cfcd0cbf4f59012  corporate/4.0/x86_64/lib64opensc2-0.10.1-2.1.20060mlcs4.x86_64.rpm
 2944306bed9b725e7c0bc196416de3c2  corporate/4.0/x86_64/lib64opensc2-devel-0.10.1-2.1.20060mlcs4.x86_64.rpm
 424b680dbde7f548b731ecc4bf8021fc  corporate/4.0/x86_64/mozilla-plugin-opensc-0.10.1-2.1.20060mlcs4.x86_64.rpm
 70c9f7f70ca3e6635c80608189a220e0  corporate/4.0/x86_64/opensc-0.10.1-2.1.20060mlcs4.x86_64.rpm 
 8830d7341d49f9da956a907e21e9a7a0  corporate/4.0/SRPMS/opensc-0.10.1-2.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIvX6MmqjQ0CJFipgRAoRWAKDJeFahAQ2AR414gjXP8O5e9kA+IQCdGkgV
NXjfAeIK16LGCRR9/DHUvlU=
=BPKk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2008:183 ] opensc security (Sep 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]