2248685 – (CVE-2023-5992) CVE-2023-5992 OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding

Bug 2248685 (CVE-2023-5992) - CVE-2023-5992 OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding

Summary: CVE-2023-5992 OpenSC: Side-channel leaks while stripping encryption PKCS#1 pa...

Keywords:
Status:	NEW
Alias:	CVE-2023-5992
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2248687
TreeView+	depends on / blocked

Reported:	2023-11-08 11:05 UTC by Dhananjay Arunesh
Modified:	2024-03-14 16:34 UTC (History)
CC List:	5 users (show)
Fixed In Version:	OpenSC 0.24.0
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant. This issue may result in the potential leak of private data.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0966	0	None	None	None	2024-02-26 02:14:32 UTC
Red Hat Product Errata	RHSA-2024:0967	0	None	None	None	2024-02-26 02:17:07 UTC

Description Dhananjay Arunesh 2023-11-08 11:05:46 UTC

The OpenSC code handling the PKCS#1 encryption padding removal is not implemented in side-channel resistant way, which can lead to possible leak to private key data.

Comment 8 errata-xmlrpc 2024-02-26 02:14:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0966 https://access.redhat.com/errata/RHSA-2024:0966

Comment 9 errata-xmlrpc 2024-02-26 02:17:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0967 https://access.redhat.com/errata/RHSA-2024:0967

Comment 10 Veronika Hanulíková 2024-03-07 09:17:59 UTC

Should there be for this CVE also clone for Fedora?

Comment 11 Zack Miele 2024-03-14 14:22:05 UTC

In reply to comment #10:
> Should there be for this CVE also clone for Fedora?

At the time this bz was made public the Fedora package had already been updated to a fixed version. I did not want to create any unneeded noise.

Comment 12 Jakub Jelen 2024-03-14 16:34:03 UTC

No, it was not. The fix landed only in 0.25.0 as described here:

https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992

The NIST pages were not updated with the latest information 

https://www.cve.org/CVERecord?id=CVE-2023-5992
https://nvd.nist.gov/vuln/detail/CVE-2023-5992

Can you take care of updating these?

Note You need to log in before you can comment on or make changes to this bug.