Andreas Jellinghaus, upstream maintainer for OpenSC, notified us of the opensc security issue discovered by Chaskiel M Grundman. Quoting text of upcoming upstream advisory: All versions of OpenSC prior to 0.11.5 initialized smart cards with Siemens CardOS M4 card operating system without proper access right: the ADMIN file control information in the 5015 directory on the smart card was left to 00 (all access allowed). With this bug anyone can change a user PIN without having the PIN or PUK or the superusers PIN or PUK. However it can not be used to figure out the PIN. Thus if the PIN on your card is still the same you always had, then you can be sure, that noone exploited this vulnerability. This vulnerability affects only smart cards and usb crypto tokens based on Siemens CardOS M4, and within that group only those that were initialized with OpenSC. Users of other smart cards and usb crypto tokens are not affected. Users of Siemens CardOS M4 based smart cards and crypto tokens are not affected, if the card was initialized with some software other than OpenSC.
Created attachment 313076 [details] Upstream patch to be included in 0.11.5
Public now via: http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html
Upstream advisory was updated on 2008-08-27 to fix an issue in the pkcs15-tool in the new functionality added in 0.11.5. It did not properly identify all smart cards initialized by the vulnerable version of opensc. This problem in pkcs15-tool was addressed upstream in version 0.11.6. References: http://www.opensc-project.org/pipermail/opensc-announce/2008-August/000021.html http://www.openwall.com/lists/oss-security/2008/08/27/1
Fixed in rawhide with upgrade to 0.11.6.
Issue mentioned in comment #3 is now known also known as CVE-2008-3972: pkcs15-tool in OpenSC before 0.11.6 does not apply security updates to a smart card unless the card's label matches the "OpenSC" string, which might allow physically proximate attackers to exploit vulnerabilities that the card owner expected were patched, as demonstrated by exploitation of CVE-2008-2235.
opensc-0.11.7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/opensc-0.11.7-1.fc9
opensc-0.11.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.