Bug 457367 (CVE-2008-2235)
Summary: | CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens CardOS M4 smart cards | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | tmraz, vdanen | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-04-15 20:51:41 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tomas Hoger
2008-07-31 08:00:23 UTC
Created attachment 313076 [details]
Upstream patch to be included in 0.11.5
Upstream advisory was updated on 2008-08-27 to fix an issue in the pkcs15-tool in the new functionality added in 0.11.5. It did not properly identify all smart cards initialized by the vulnerable version of opensc. This problem in pkcs15-tool was addressed upstream in version 0.11.6. References: http://www.opensc-project.org/pipermail/opensc-announce/2008-August/000021.html http://www.openwall.com/lists/oss-security/2008/08/27/1 Fixed in rawhide with upgrade to 0.11.6. Issue mentioned in comment #3 is now known also known as CVE-2008-3972: pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to a smart card unless the card's label matches the "OpenSC" string, which might allow physically proximate attackers to exploit vulnerabilities that the card owner expected were patched, as demonstrated by exploitation of CVE-2008-2235. opensc-0.11.7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/opensc-0.11.7-1.fc9 opensc-0.11.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |