Bug 282531 - buffer overflow in pcsc-lite-1.3.3-1.fc7
Summary: buffer overflow in pcsc-lite-1.3.3-1.fc7
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: pcsc-lite
Version: 8
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bob Relyea
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-07 15:32 UTC by David Mueller
Modified: 2009-01-09 04:52 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-09 04:52:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
log file (130.94 KB, text/plain)
2007-09-07 15:32 UTC, David Mueller
no flags Details

Description David Mueller 2007-09-07 15:32:10 UTC
Description of problem:

Attempting to log into a smart card from a Citrix/Windows Terminal Services
application causes pcscd to crash with a buffer overflow.

I can use the card normally with local applications such as Firefox, SeaMonkey,
and Thunderbird, as well as browse the card from Terminal Services applications,
such as ActivCard ActivClient 5.4.  However, attempting an activity that
requires logging into the card with a PIN (such as signing an email with Outlook
2002) fails with an error message "A required action was not successful due to
an unspecified error" from Outlook.  Doing this while running pcscd in the
foreground, I discovered the error.

I've attached a log (created with /usr/sbin/pcscd -f --debug) from running the
application and inserting the card to the point where it crashes.

Version-Release number of selected component (if applicable):

pcsc-lite-1.3.3-1.fc7

How reproducible:


Steps to Reproduce:
1. Insert smart card into reader.
2. Connect to a Windows Terminal Services application such as Microsoft Outlook.
3. Attempt an activity that requires a PIN, such as sending an email signed with
a certificate on the card.
  
Actual results:

Error message from Outlook: "A required action was not successful due to an
unspecified error"

pcscd crashes with buffer overflow error message:

*** buffer overflow detected ***: pcscd terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x617bb1]
/lib/libc.so.6[0x6173c8]
/lib/libc.so.6(_IO_default_xsputn+0xcd)[0x59719d]
/lib/libc.so.6(_IO_vfprintf+0x153)[0x56ee63]
/lib/libc.so.6(__vsprintf_chk+0xad)[0x61747d]
/lib/libc.so.6(__sprintf_chk+0x30)[0x6173b0]
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1[0x11222b]
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1[0x112fed]
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1[0x113304]
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1[0x113ea0]
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1(IFDHTransmitToICC+0x6d)[0x115f1d]
pcscd[0x804d955]
pcscd[0x8053580]
pcscd[0x80562a2]
pcscd[0x8056cee]
/lib/libpthread.so.0[0x6d544b]
/lib/libc.so.6(clone+0x5e)[0x60380e]
======= Memory map: ========
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
00111000-00121000 r-xp 00000000 08:06 4480784   
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1
00121000-00123000 rwxp 0000f000 08:06 4480784   
/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so.1.2.1
00514000-0052f000 r-xp 00000000 08:06 1636623    /lib/ld-2.6.so
0052f000-00530000 r-xp 0001a000 08:06 1636623    /lib/ld-2.6.so
00530000-00531000 rwxp 0001b000 08:06 1636623    /lib/ld-2.6.so
00533000-00681000 r-xp 00000000 08:06 1636624    /lib/libc-2.6.so
00681000-00683000 r-xp 0014e000 08:06 1636624    /lib/libc-2.6.so
00683000-00684000 rwxp 00150000 08:06 1636624    /lib/libc-2.6.so
00684000-00687000 rwxp 00684000 00:00 0
006d0000-006e4000 r-xp 00000000 08:06 1636730    /lib/libpthread-2.6.so
006e4000-006e5000 r-xp 00013000 08:06 1636730    /lib/libpthread-2.6.so
006e5000-006e6000 rwxp 00014000 08:06 1636730    /lib/libpthread-2.6.so
006e6000-006e8000 rwxp 006e6000 00:00 0
007f8000-007fb000 r-xp 00000000 08:06 1637546    /lib/libdl-2.6.so
007fb000-007fc000 r-xp 00002000 08:06 1637546    /lib/libdl-2.6.so
007fc000-007fd000 rwxp 00003000 08:06 1637546    /lib/libdl-2.6.so
00d48000-00d53000 r-xp 00000000 08:06 1637526    /lib/libgcc_s-4.1.2-20070503.so.1
00d53000-00d54000 rwxp 0000a000 08:06 1637526    /lib/libgcc_s-4.1.2-20070503.so.1
00de8000-00dee000 r-xp 00000000 08:06 2998695    /usr/lib/libusb-0.1.so.4.4.4
00dee000-00df0000 rwxp 00006000 08:06 2998695    /usr/lib/libusb-0.1.so.4.4.4
08047000-0805d000 r-xp 00000000 08:06 3005733    /usr/sbin/pcscd
0805d000-0805e000 rw-p 00015000 08:06 3005733    /usr/sbin/pcscd
0805e000-080e7000 rw-p 0805e000 00:00 0
082e8000-0832a000 rw-p 082e8000 00:00 0
b1bdb000-b1bdc000 ---p b1bdb000 00:00 0
b1bdc000-b25dc000 rw-p b1bdc000 00:00 0
b25dc000-b25dd000 ---p b25dc000 00:00 0
b25dd000-b2fdd000 rw-p b25dd000 00:00 0
b2fdd000-b2fde000 ---p b2fdd000 00:00 0
b2fde000-b39de000 rw-p b2fde000 00:00 0
b39de000-b39df000 ---p b39de000 00:00 0
b39df000-b43df000 rw-p b39df000 00:00 0
b43df000-b43e0000 ---p b43df000 00:00 0
b43e0000-b4de0000 rw-p b43e0000 00:00 0
b4de0000-b4de1000 ---p b4de0000 00:00 0
b4de1000-b57e1000 rw-p b4de1000 00:00 0
b57e1000-b57e2000 ---p b57e1000 00:00 0
b57e2000-b61e2000 rw-p b57e2000 00:00 0
b61e2000-b61e3000 ---p b61e2000 00:00 0
b61e3000-b6be3000 rw-p b61e3000 00:00 0
b6be3000-b6be4000 ---p b6be3000 00:00 0
b6be4000-b75e4000 rw-p b6be4000 00:00 0
b75e4000-b75e5000 ---p b75e4000 00:00 0
b75e5000-b7fe7000 rw-p b75e5000 00:00 0
b7ff0000-b7ff1000 rw-s 0000f000 08:06 3078819    /var/run/pcscd.pub
b7ff1000-b7ff2000 rw-s 0000e000 08:06 3078819    /var/run/pcscd.pub
b7ff2000-b7ff3000 rw-s 0000d000 08:06 3078819    /var/run/pcscd.pub
b7ff3000-b7ff4000 rw-s 0000c000 08:06 3078819    /var/run/pcscd.pub
b7ff4000-b7ff5000 rw-s 0000b000 08:06 3078819    /var/run/pcscd.pub
b7ff5000-b7ff6000 rw-s 0000a000 08:06 3078819    /var/run/pcscd.pub
b7ff6000-b7ff7000 rw-s 00009000 08:06 3078819    /var/run/pcscd.pub
b7ff7000-b7ff8000 rw-s 00008000 08:06 3078819    /var/run/pcscd.pub
b7ff8000-b7ff9000 rw-s 00007000 08:06 3078819    /var/run/pcscd.pub
b7ff9000-b7ffa000 rw-s 00006000 08:06 3078819    /var/run/pcscd.pub
b7ffa000-b7ffb000 rw-s 00005000 08:06 3078819    /var/run/pcscd.pub
b7ffb000-b7ffc000 rw-s 00004000 08:06 3078819    /var/run/pcscd.pub
b7ffc000-b7ffd000 rw-s 00003000 08:06 3078819    /var/run/pcscd.pub
b7ffd000-b7ffe000 rw-s 00002000 08:06 3078819    /var/run/pcscd.pub
b7ffe000-b7fff000 rw-s 00001000 08:06 3078819    /var/run/pcscd.pub
b7fff000-b8000000 rw-s 00000000 08:06 3078819    /var/run/pcscd.pub
bfc7f000-bfc94000 rw-p bfc7f000 00:00 0          [stack]
Aborted

Expected results:

Signed email should be sent.

Additional info:

Comment 1 David Mueller 2007-09-07 15:32:10 UTC
Created attachment 190021 [details]
log file

Comment 2 David Mueller 2007-09-18 15:52:28 UTC
From some additional testing, we have found that the smart card support does
work correctly (sending a signed email with Outlook) with Fedora Core 5, using
pcsc-lite-1.3.1-1.fc5 and Citrix ICAClient-10.0-2 (the Fedora 7 testing was done
with ICAClient 10.6-1).

Comment 3 David Mueller 2007-09-18 16:37:12 UTC
Just tried with ICAClient-10.0-2 on Fedora 7, so it looks like it is a pcsc-lite
problem.

Comment 4 David Mueller 2007-09-18 18:12:18 UTC
I just got another report that it works with RHEL5 (pcsc-lite-1.3.1-7) and
ICAClient 10.6.

Comment 5 David Mueller 2007-11-20 22:25:27 UTC
Updating version to f8 is still an issue with Fedora 8, with pcsc-lite-1.3.3-1.fc8.

Comment 6 David Mueller 2007-12-03 16:11:52 UTC
This is no longer an issue on my end as the Windows Terminal Servers have been
upgraded to ActivClient 6.0 and that version does not appear to cause the crash
on Fedora 8.

Comment 7 Bug Zapper 2008-11-26 07:46:04 UTC
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 8 Bug Zapper 2009-01-09 04:52:43 UTC
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.