lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080831103711.EAF1A326F06@morgana.loeki.tv>
Date: Sun, 31 Aug 2008 12:37:11 +0200 (CEST)
From: thijs@...ian.org (Thijs Kinkhorst)
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1627-2] New opensc package fix
	incomplete check

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1627-2                  security@...ian.org
http://www.debian.org/security/                          Thijs Kinkhorst
August 31, 2008                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : opensc
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-2235

The previous security update for opensc had a too strict check for
vulnerable smart cards. It could flag cards as safe even though they may
be affected. This update corrects that problem. We advise users of the
smart cards concerned to re-check their card after updating the package,
following the procedure outlined in the original advisory text below.

Chaskiel M Grundman discovered that opensc, a library and utilities to
handle smart cards, would initialise smart cards with the Siemens CardOS M4
card operating system without proper access rights. This allowed everyone
to change the card's PIN.

With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
reasonable chance that this vulnerability has not been exploited.

This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not
affected.

After upgrading the package, running
    pkcs15-tool -T
will show you whether the card is fine or vulnerable. If the card is
vulnerable, you need to update the security setting using:
    pkcs15-tool -T -U

For the stable distribution (etch), this problem has been fixed in
version 0.11.1-2etch2.

For the unstable distribution (sid), this problem has been fixed in
version 0.11.4-5.

We recommend that you upgrade your opensc package and check your card(s)
with the command described above.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1.orig.tar.gz
    Size/MD5 checksum:  1263611 94ce00a6bda38fac10ab06f5d5d1a8c3
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2.diff.gz
    Size/MD5 checksum:    57088 9ce4247af885d39a5e76ac3e7e34f0e4
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2.dsc
    Size/MD5 checksum:      780 33700596584c295d4f27a8f6b8d6df93

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_alpha.deb
    Size/MD5 checksum:   296964 e8ba9833e1d3c00bb4dafc08648faf6d
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_alpha.deb
    Size/MD5 checksum:   205002 7146068470dd3c5bbacae9f48751d8fb
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_alpha.deb
    Size/MD5 checksum:  1077872 1a1963d40c9a03ea0dc1453a27e873af
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_alpha.deb
    Size/MD5 checksum:   727634 58de552b33ff885aee0193de0534563e
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_alpha.deb
    Size/MD5 checksum:   508256 94ea135b646b89c6dac6defd2bc931ac

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_amd64.deb
    Size/MD5 checksum:   483304 a375efabe5edf419f4f1419ee085ddb1
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_amd64.deb
    Size/MD5 checksum:   200004 84f28dc19675f1f8823b03151cbba47e
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_amd64.deb
    Size/MD5 checksum:   576968 fb1c4b415d1377ceac61661919cbebff
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_amd64.deb
    Size/MD5 checksum:   281180 c67f956ac36c4d65ec21ab91ba749866
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_amd64.deb
    Size/MD5 checksum:  1069138 ee204a5d9633f19d89347761b06aa21c

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_arm.deb
    Size/MD5 checksum:  1012086 fe7a7a2eaf19f7e83dd38991a5c5204b
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_arm.deb
    Size/MD5 checksum:   450916 95c8301ca36a08ca0521df8a25267689
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_arm.deb
    Size/MD5 checksum:   269182 acc05dce62d94e247043ae804abac541
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_arm.deb
    Size/MD5 checksum:   529988 840e3aab09d7abde5b8060ceebf2dbd1
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_arm.deb
    Size/MD5 checksum:   187988 13b7a94850732fd4d46f6cdf875ffb31

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_hppa.deb
    Size/MD5 checksum:   205576 a24fccd7e1772647d563a520b7417976
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_hppa.deb
    Size/MD5 checksum:   512374 dc2ad0c4dc8df1b4058818cc65b0ec10
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_hppa.deb
    Size/MD5 checksum:  1036394 7f83a52f5917cd3fcdbacdbd5cb27ea2
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_hppa.deb
    Size/MD5 checksum:   624512 a66dd86f267fd09099501d5b3154782c
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_hppa.deb
    Size/MD5 checksum:   283434 a852d66ff8c4c271b37bbcc0a746dac0

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_i386.deb
    Size/MD5 checksum:   537992 3fec817bfea6d558f42d2c2e107ca8b3
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_i386.deb
    Size/MD5 checksum:  1019214 1ed6d07cb743c73042bab5151146b076
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_i386.deb
    Size/MD5 checksum:   189454 445a4781859aef3414590f5e8481fdba
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_i386.deb
    Size/MD5 checksum:   269976 e2e5124e70bf580c221e137b50f8ba48
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_i386.deb
    Size/MD5 checksum:   453582 288dfd7b6c042abed22f167dba7a1125

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_ia64.deb
    Size/MD5 checksum:  1062184 c561302cc8a65b1fe98c71ba013880db
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_ia64.deb
    Size/MD5 checksum:   354024 5899f17bbab07f5a00c0ec6a740b3756
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_ia64.deb
    Size/MD5 checksum:   769910 e49ff6a5f80122aff066f3b290af9b84
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_ia64.deb
    Size/MD5 checksum:   620292 bb01c6292f364889da4225ba23cc78cb
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_ia64.deb
    Size/MD5 checksum:   206140 d34b648d6540c0d63b3fe581e1f9ac67

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_mips.deb
    Size/MD5 checksum:   458414 275ae6b9f162e0852091d0e7836ae16c
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_mips.deb
    Size/MD5 checksum:   195516 db0ce446bfb07303da80a9b8f274c1af
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_mips.deb
    Size/MD5 checksum:   283004 e8b63a99a79a2d9dd6f734c1a8aa7b0d
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_mips.deb
    Size/MD5 checksum:  1082506 14430ab357fed7616e4c186880752f4d
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_mips.deb
    Size/MD5 checksum:   632954 b9556af01375a44f195e048a616cf21a

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_mipsel.deb
    Size/MD5 checksum:   458378 3385aedc113e5593e349ebe4e6ba2098
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_mipsel.deb
    Size/MD5 checksum:   284064 30e52ee872a4e8ccedee22bbdcbe3942
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_mipsel.deb
    Size/MD5 checksum:   629272 796fd245c3afcf85ebeb6bdc7a465d7b
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_mipsel.deb
    Size/MD5 checksum:  1060840 d500da50fe3a7aa346a12d9adb056c66
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_mipsel.deb
    Size/MD5 checksum:   194570 20b4f260392f924ead7e4dcb236e450b

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_powerpc.deb
    Size/MD5 checksum:   599502 6bc486604c352ae1d6c34d17383166b4
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_powerpc.deb
    Size/MD5 checksum:  1084300 21bad9d0eb8ce4b8f1399e9cdc266d06
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_powerpc.deb
    Size/MD5 checksum:   473780 b9816427fdd321db40b8b393f4edfe9f
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_powerpc.deb
    Size/MD5 checksum:   294664 0fa2e8c94c3039f3926df840d219a97c
  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_powerpc.deb
    Size/MD5 checksum:   205094 c300b7771a01300bf18849a22d250f60

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_s390.deb
    Size/MD5 checksum:   217104 ff287b6aada1ff7552facbe6a71f317e
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_s390.deb
    Size/MD5 checksum:   279122 124aa0833b5fc7d75b5404383064ddf2
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_s390.deb
    Size/MD5 checksum:   485506 3ea3f682d8a0edf18cd51318c3d6e2a1
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_s390.deb
    Size/MD5 checksum:  1050130 2de96bab485f9df0f88a87b945735fd7
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_s390.deb
    Size/MD5 checksum:   552728 b14d87c97023f843b3a73805b4a05ea5

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch2_sparc.deb
    Size/MD5 checksum:   193650 7902081b0d97cae8dfceb35d778d010e
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch2_sparc.deb
    Size/MD5 checksum:   967974 084cfb2ce4ca9edb655dd849fbb543d4
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch2_sparc.deb
    Size/MD5 checksum:   544394 d7313b12e4fbe347ea4717af780d81f8
  http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch2_sparc.deb
    Size/MD5 checksum:   268122 19dd2ba72b9a01b804ee0173b3cacafc
  http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch2_sparc.deb
    Size/MD5 checksum:   442356 8e613a8e25f046b3218d350f47a27919


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSLp0FWz0hbPcukPfAQJHJggAvxoTpcwKezudh39JK5kOs11Hghx2Guxl
Cs+NP5Rgeq3bATRuHk9WFx4QaEwF1Znah3+9W5+WEiPYgWQ7/uMwqOMHovipVD/s
wqAik8iAukhwWdt7nsZ7I3D6MsvMt/+dkXOrkxZwAli3MArf0lt+/5x0kLgaIteL
Wz5moAIM/e7way/k66iajbcw4ltC+kSfneNHP/Mi/i16sz0aADcEBdxzxNygnR4C
6sd11hWmWa4qJ1dNw4gDm7M088Xv6UH3BcC0OoXgH0wxophj34Bf6yYWjCni9V16
EfGvYIuXrhBBN5J1tLJsFB4m6NfBNk09B8ndY5wSKggBUuNFGPEx2Q==
=qNCp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ