Andreas Jellinghaus, upstream maintainer for OpenSC, notified us of the opensc
security issue discovered by Chaskiel M Grundman.
Quoting text of upcoming upstream advisory:
All versions of OpenSC prior to 0.11.5 initialized smart cards
with Siemens CardOS M4 card operating system without proper
access right: the ADMIN file control information in the 5015
directory on the smart card was left to 00 (all access allowed).
With this bug anyone can change a user PIN without having the PIN
or PUK or the superusers PIN or PUK. However it can not be used
to figure out the PIN. Thus if the PIN on your card is still the
same you always had, then you can be sure, that noone exploited
This vulnerability affects only smart cards and usb crypto tokens
based on Siemens CardOS M4, and within that group only those that
were initialized with OpenSC.
Users of other smart cards and usb crypto tokens are not affected.
Users of Siemens CardOS M4 based smart cards and crypto tokens are
not affected, if the card was initialized with some software other
Created attachment 313076 [details]
Upstream patch to be included in 0.11.5
Public now via:
Upstream advisory was updated on 2008-08-27 to fix an issue in the pkcs15-tool in the new functionality added in 0.11.5. It did not properly identify all smart cards initialized by the vulnerable version of opensc. This problem in pkcs15-tool was addressed upstream in version 0.11.6.
Fixed in rawhide with upgrade to 0.11.6.
Issue mentioned in comment #3 is now known also known as CVE-2008-3972:
pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to
a smart card unless the card's label matches the "OpenSC" string,
which might allow physically proximate attackers to exploit
vulnerabilities that the card owner expected were patched, as
demonstrated by exploitation of CVE-2008-2235.
opensc-0.11.7-1.fc9 has been submitted as an update for Fedora 9.
opensc-0.11.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.