The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher. References: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967 https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817
Created opensc tracking bugs for this issue: Affects: epel-6 [bug 1885955] Affects: fedora-all [bug 1885956]
Flaw summary: In the tcos_decipher() routine of src/libopensc/card-tcos.c, a call to `memcpy()` of size `crgram_len` could overflow past the end of the `sbuf` buffer, causing an out-of-bounds write. This could occur when `crgram_len` is greater than the size of `SC_MAX_APDU_BUFFER_SIZE`. The patch ensures that if `crgram_len` is greater than `sbuf - 1`, an error is returned instead.
Mitigation: This flaw can be mitigated in cases where you can use opensc without the TCOS driver enabled. In such cases, the vulnerable driver can be disabled by specifying them in /etc/opensc.conf card_drivers field in allowlist fashion. One such example: ``` app default { card_drivers = cac, cac1, PIV-II; } ``` This would only enable the cac, cac1, and PIV-II smart card drivers, and all others would be disabled, including the TCOS driver. With the TCOS driver disabled, this flaw is mitigated. It is important to list all drivers that you need in the card_drivers field so that they are not disabled too.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1600 https://access.redhat.com/errata/RHSA-2021:1600
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26572