Bug 664986 (CVE-2010-4530)

Summary: CVE-2010-4530 CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, kalevlember, rpattath, rrelyea
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20101213,reported=20101222,source=debian,impact=low,cvss2=4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P,rhel-5/ccid=affected,rhel-6/ccid=affected,fedora-all/ccid=affected,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 00:39:17 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 664987, 883647, 953045    
Bug Blocks: 855229, 952520    

Description Jan Lieskovsky 2010-12-22 06:51:27 EST
An integer overflow, leading to array index error was found
in the way USB CCID (Chip/Smart Card Interface Devices) driver
processed certain values of card serial number. A local attacker
could use this flaw to execute arbitrary code, with the privileges
of the user running the pcscd daemon, via a malicious smart card
with specially-crafted value of its serial number, inserted to
the system USB port.

References:
[1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780

Upstream changesets:
[3] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
[4] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html
Comment 1 Jan Lieskovsky 2010-12-22 06:53:53 EST
This issue affects the versions of the ccid package, as shipped
with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the ccid package, as shipped
with Fedora release of 13 and 14.

Please schedule an update with the above upstream patches.
Comment 2 Jan Lieskovsky 2010-12-22 06:54:54 EST
Created ccid tracking bugs for this issue

Affects: fedora-all [bug 664987]
Comment 3 Jan Lieskovsky 2010-12-22 07:57:18 EST
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/22/7
Comment 4 Kalev Lember 2011-01-05 06:34:09 EST
I have submitted updates for Fedora 13 and Fedora 14. In rawhide the version of the ccid package is newer, containing the upstream patch, and is not affected by the vulnerability.

https://admin.fedoraproject.org/updates/ccid-1.4.0-2.fc14
https://admin.fedoraproject.org/updates/ccid-1.3.11-2.fc13
Comment 8 errata-xmlrpc 2013-02-21 05:54:47 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0523 https://rhn.redhat.com/errata/RHSA-2013-0523.html
Comment 14 errata-xmlrpc 2013-09-30 18:47:50 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1323 https://rhn.redhat.com/errata/RHSA-2013-1323.html
Comment 15 Huzaifa S. Sidhpurwala 2013-10-01 00:49:07 EDT
Statement:

(none)