Bug 1684673

Summary: pcsc-lite: Memory leak in SCardEstablishContextTH() function in winscard_clnt.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: crypto-team, jjelen, klember, ludovic.rousseau, nmavrogi, rrelyea
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-04 19:35:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1684674    
Bug Blocks: 1684675    

Description Pedro Sampaio 2019-03-01 20:19:59 UTC 
A flaw was found in pcsc-lite. A memory leak in SCardEstablishContextTH() function in winscard_clnt.c may lead to denial of service.

References:

https://salsa.debian.org/rousseau/PCSC/issues/1
Comment 1 Pedro Sampaio 2019-03-01 20:20:09 UTC 
Created pcsc-lite tracking bugs for this issue:

Affects: fedora-all [bug 1684674]
Comment 2 Scott Gayou 2019-03-04 17:41:24 UTC 
Red Hat Enterprise 7 seems to be unaffected by this when testing OpenSC. (after applying the upstream patch to remove the first memory leak in eidenv)

```
valgrind --leak-check=full eidenv 
==8831== Memcheck, a memory error detector
==8831== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8831== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==8831== Command: eidenv
==8831== 
No smart card readers found.
Failed to connect to card: Unknown error
==8831== 
==8831== HEAP SUMMARY:
==8831==     in use at exit: 1,607 bytes in 6 blocks
==8831==   total heap usage: 62 allocs, 56 frees, 5,619 bytes allocated
==8831== 
==8831== LEAK SUMMARY:
==8831==    definitely lost: 0 bytes in 0 blocks
==8831==    indirectly lost: 0 bytes in 0 blocks
==8831==      possibly lost: 0 bytes in 0 blocks
==8831==    still reachable: 1,607 bytes in 6 blocks
==8831==         suppressed: 0 bytes in 0 blocks
==8831== Reachable blocks (those to which a pointer was found) are not shown.
==8831== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==8831== 
==8831== For counts of detected and suppressed errors, rerun with: -v
==8831== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
```
Comment 3 Scott Gayou 2019-03-04 19:35:32 UTC 
Unable to reproduce this on anything. It was reproducible yesterday on my Fedora 29 install, but no longer today. Tried it on a bunch of other VMs, OS versions, different build options, etc. Unclear what I was seeing, but I think it was a fluke.

Closing due to low severity of this.
Comment 4 Ludovic Rousseau 2019-03-05 09:04:10 UTC 
The bug described in https://salsa.debian.org/rousseau/PCSC/issues/1 is still not fixed upstream.

I don't think this issue could lead to a denial of service. The allocation is done only once per execution of a PC/SC client application.
I agree it is a minor issue.

As the upstream developer I have no plan to fix it soon.