When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer. The bypass was removed and OpenSC implemented explicit logout for most of the card drivers to prevent leaving unattended logged-in tokens Affected versions: OpenSC 0.17.0 - 0.23.0 https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651 https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
Created opensc tracking bugs for this issue: Affects: fedora-all [bug 2248092]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7876 https://access.redhat.com/errata/RHSA-2023:7876
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7879 https://access.redhat.com/errata/RHSA-2023:7879