OpenSC before 0.20.0 has a double free in coolkey_free_private_data because coolkey_add_object in libopensc/card-coolkey.c lacks a uniqueness check.
Created opensc tracking bugs for this issue: Affects: fedora-30 [bug 1837948]
Upstream commit: https://github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4
Created opensc tracking bugs for this issue: Affects: epel-all [bug 1838182]
Function coolkey_free_private_data() iterates over all elements in coolkey_private_data_t.objects_list, freeing the `data` field. However, it may happen that two items in the list have the same `data` value, thus causing the double free when the second element is freed. If coolkey_add_object() is called multiple times with the same `object_id`, when an object `data` is filled with coolkey_fill_object() it may sets the same value on multiple objects in the list. The issue is fixed by ensuring that there is only one unique element for a given object_id value.
The double-free can be triggered only during clean-up of the smart card structures and an attack would very likely require multiple attempts due to the various protections used in Red Hat Enterprise Linux and Fedora (e.g. ASLR), which would mean an attacker has to remove and re-insert the malicious smart card multiple times to actually exploit the system. When such attacks fail, this would result just in a segmentation fault with no security consequences. Considering the above reasons, I am increasing the Attack Complexity to High (AC:H) in the CVSSv3 score and downgrading the Impact of this flaw to Moderate, as they make the flaw much harder to exploit.
Mitigation: If the coolkey driver is not necessary for the configuration and system in use, it is possible to disable it by not listing it in the /etc/opensc.conf file. For example: ``` app default { card_drivers = cac, cac1, PIV-II; } ```
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4483 https://access.redhat.com/errata/RHSA-2020:4483
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20792