Initially a bit confusing as upstream reporter didn't mention the command. The command isn't actually given, but you can see a hint in the upstream trace: eidenv. Compile with asan, run with no args:

```
No smart card readers found.
Failed to connect to card: Unknown error

=================================================================
==28673==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 632 byte(s) in 1 object(s) allocated from:
    #0 0x4ebd3f in calloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebd3f)
    #1 0x7f554572aebe in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:809:8
    #2 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 224 byte(s) in 1 object(s) allocated from:
    #0 0x4ebd3f in calloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebd3f)
    #1 0x7f554580419a in pcsc_init /home/work/workspace/opensc/OpenSC/src/libopensc/reader-pcsc.c:763:10
    #2 0x7f554572b427 in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:861:6
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff)
    #1 0x7f5545b24624 in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:260:43
    #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff)
    #1 0x7f5545b240ce in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:244:47
    #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff)
    #1 0x7f5545b2408e in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:243:47
    #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 7 byte(s) in 1 object(s) allocated from:
    #0 0x438390 in __interceptor_strdup (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x438390)
    #1 0x7f554572af8f in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:816:19
    #2 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

SUMMARY: AddressSanitizer: 951 byte(s) leaked in 6 allocation(s).
```

After fixing the first "leak", we get this.

```
[work@localhost-live ~]$ valgrind --leak-check=full eidenv
==21692== Memcheck, a memory error detector
==21692== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21692== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==21692== Command: eidenv
==21692== 
No smart card readers found.
Failed to connect to card: Unknown error
==21692== 
==21692== HEAP SUMMARY:
==21692==     in use at exit: 1,727 bytes in 9 blocks
==21692==   total heap usage: 118 allocs, 109 frees, 12,986 bytes allocated
==21692== 
==21692== 112 (40 direct, 72 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 9
==21692==    at 0x483880B: malloc (vg_replace_malloc.c:309)
==21692==    by 0x502C324: ???
==21692==    by 0x502B69A: ???
==21692==    by 0x48B6A36: pcsc_detect_readers (reader-pcsc.c:1354)
==21692==    by 0x486483D: sc_ctx_detect_readers (ctx.c:744)
==21692==    by 0x4864CAD: sc_context_create (ctx.c:879)
==21692==    by 0x4024E0: main (eidenv.c:397)
==21692== 
==21692== LEAK SUMMARY:
==21692==    definitely lost: 40 bytes in 1 blocks
==21692==    indirectly lost: 72 bytes in 3 blocks
==21692==      possibly lost: 0 bytes in 0 blocks
==21692==    still reachable: 1,615 bytes in 5 blocks
==21692==         suppressed: 0 bytes in 0 blocks
==21692== Reachable blocks (those to which a pointer was found) are not shown.
==21692== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==21692== 
==21692== For counts of detected and suppressed errors, rerun with: -v
==21692== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

The second leak is almost certainly https://github.com/OpenSC/OpenSC/issues/512 and https://salsa.debian.org/rousseau/PCSC/issues/1. Issue seems to be in pcsc-lite, and not opensc.

Submitted potential fix for first memory leak upstream. Second leak is in pcsc-lite and I have not investigated that. As of now, my thoughts are that this CVE is invalid and should be rejected. Upstream sources have CVSS scores of up to 9.8 -- I believe those are incorrect as well and our customers are not impacted by this.

Tracking other leak here: https://bugzilla.redhat.com/show_bug.cgi?id=1684673