lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Oz7cD-0005XV-F0@titan.mandriva.com>
Date: Fri, 24 Sep 2010 14:43:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:189 ] pcsc-lite

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:189
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pcsc-lite
 Date    : September 24, 2010
 Affected: 2008.0, 2009.0, 2009.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in pcsc-lite:
 
 The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart
 Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 might allow
 local users to cause a denial of service (daemon crash) via crafted
 SCARD_SET_ATTRIB message data, which is improperly demarshalled
 and triggers a buffer over-read, a related issue to CVE-2010-0407
 (CVE-2009-4901).
 
 Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c
 in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4
 and earlier might allow local users to gain privileges via crafted
 SCARD_CONTROL message data, which is improperly demarshalled.  NOTE:
 this vulnerability exists because of an incorrect fix for CVE-2010-0407
 (CVE-2009-4902).
 
 Multiple buffer overflows in the MSGFunctionDemarshall function in
 winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE
 PCSC-Lite before 1.5.4 allow local users to gain privileges via
 crafted message data, which is improperly demarshalled (CVE-2010-0407).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4901
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4902
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0407
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 8542435bcf848ec4a758f08abb440de6  2008.0/i586/libpcsclite1-1.4.4-1.1mdv2008.0.i586.rpm
 b2cba2d308ce62f0db856cbeb397e579  2008.0/i586/libpcsclite-devel-1.4.4-1.1mdv2008.0.i586.rpm
 91aa91411c7755f9fef3bc9d2247ae8d  2008.0/i586/libpcsclite-static-devel-1.4.4-1.1mdv2008.0.i586.rpm
 a9b3733633dea019f2604a3edaee1108  2008.0/i586/pcsc-lite-1.4.4-1.1mdv2008.0.i586.rpm 
 f08e053f4969deef763e11fd6d66b408  2008.0/SRPMS/pcsc-lite-1.4.4-1.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 6e0f7e5e8069e5aa694de0b51d51e7f7  2008.0/x86_64/lib64pcsclite1-1.4.4-1.1mdv2008.0.x86_64.rpm
 ecb3d147a0989e9f11b6c21a99d78b00  2008.0/x86_64/lib64pcsclite-devel-1.4.4-1.1mdv2008.0.x86_64.rpm
 217d8be73202d169f0749b586d2fc78d  2008.0/x86_64/lib64pcsclite-static-devel-1.4.4-1.1mdv2008.0.x86_64.rpm
 5124ffac456d3ddcbe83c2cc20b3e65b  2008.0/x86_64/pcsc-lite-1.4.4-1.1mdv2008.0.x86_64.rpm 
 f08e053f4969deef763e11fd6d66b408  2008.0/SRPMS/pcsc-lite-1.4.4-1.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 9e6699c3b26d60127e0caaa1aa2289d2  2009.0/i586/libpcsclite1-1.4.102-1.1mdv2009.0.i586.rpm
 72a1a3d5e01ed8345f265a77f4ea05dd  2009.0/i586/libpcsclite-devel-1.4.102-1.1mdv2009.0.i586.rpm
 349726056604450832d18ebef0b719c0  2009.0/i586/libpcsclite-static-devel-1.4.102-1.1mdv2009.0.i586.rpm
 e87e4987d3fbf641f645b2009471f387  2009.0/i586/pcsc-lite-1.4.102-1.1mdv2009.0.i586.rpm 
 76334baf4d0a4c7e7269be6855aee4c2  2009.0/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 0ecec7927fddbf1791384667d4c2cb0f  2009.0/x86_64/lib64pcsclite1-1.4.102-1.1mdv2009.0.x86_64.rpm
 628debd6fb07c332a72b836c165bcc8d  2009.0/x86_64/lib64pcsclite-devel-1.4.102-1.1mdv2009.0.x86_64.rpm
 ae015f03362f7399c9aba451f2f7fecd  2009.0/x86_64/lib64pcsclite-static-devel-1.4.102-1.1mdv2009.0.x86_64.rpm
 64fbc7257cbfc5a18c1d3f63ab8860e8  2009.0/x86_64/pcsc-lite-1.4.102-1.1mdv2009.0.x86_64.rpm 
 76334baf4d0a4c7e7269be6855aee4c2  2009.0/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 f6fbc67ddacadd6e421fd68d02e12633  2009.1/i586/libpcsclite1-1.5.2-1.1mdv2009.1.i586.rpm
 a1ba1511fd5dd26573527ef50ce81b5e  2009.1/i586/libpcsclite-devel-1.5.2-1.1mdv2009.1.i586.rpm
 4b9ba378d857ae48a846f00e286024e8  2009.1/i586/libpcsclite-static-devel-1.5.2-1.1mdv2009.1.i586.rpm
 6a704dd4e7d8423d35db366dbf689cb7  2009.1/i586/pcsc-lite-1.5.2-1.1mdv2009.1.i586.rpm 
 01a7091c9fcf2337578c9caeebc87833  2009.1/SRPMS/pcsc-lite-1.5.2-1.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 613b7a63921e05a482fb4aae6a36d5cf  2009.1/x86_64/lib64pcsclite1-1.5.2-1.1mdv2009.1.x86_64.rpm
 9dd66b08eb34e7fa8d00c569f0face33  2009.1/x86_64/lib64pcsclite-devel-1.5.2-1.1mdv2009.1.x86_64.rpm
 8b7f3042144456046ac6a550d49466f7  2009.1/x86_64/lib64pcsclite-static-devel-1.5.2-1.1mdv2009.1.x86_64.rpm
 8f4c9901adccf658a5edd7b88e735568  2009.1/x86_64/pcsc-lite-1.5.2-1.1mdv2009.1.x86_64.rpm 
 01a7091c9fcf2337578c9caeebc87833  2009.1/SRPMS/pcsc-lite-1.5.2-1.1mdv2009.1.src.rpm

 Mandriva Enterprise Server 5:
 4194b2888cee96308009918fd78ec2e6  mes5/i586/libpcsclite1-1.4.102-1.1mdvmes5.1.i586.rpm
 5fceb0986718f744abbd371129b38eba  mes5/i586/libpcsclite-devel-1.4.102-1.1mdvmes5.1.i586.rpm
 f856c267204173af9fad236eac81c28f  mes5/i586/libpcsclite-static-devel-1.4.102-1.1mdvmes5.1.i586.rpm
 6d601e4b1d1168ebec78c5d945378e02  mes5/i586/pcsc-lite-1.4.102-1.1mdvmes5.1.i586.rpm 
 0b52ec2a75a79cdef80d31b6b55323d1  mes5/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 245e8a6081254bacb173674d15594e98  mes5/x86_64/lib64pcsclite1-1.4.102-1.1mdvmes5.1.x86_64.rpm
 315e276f89d1bd75105a2e40f2976b81  mes5/x86_64/lib64pcsclite-devel-1.4.102-1.1mdvmes5.1.x86_64.rpm
 731b15c35ffe0872052578e9a25f3fa2  mes5/x86_64/lib64pcsclite-static-devel-1.4.102-1.1mdvmes5.1.x86_64.rpm
 ca6aa016db366b69b83ca08814a9636c  mes5/x86_64/pcsc-lite-1.4.102-1.1mdvmes5.1.x86_64.rpm 
 0b52ec2a75a79cdef80d31b6b55323d1  mes5/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMnGzomqjQ0CJFipgRAmXTAKDITs6XSqDRd8Bm+jEKeBBi8VCnmgCdG3k7
73gkpAFx7zZqY3bL0t73fqA=
=qjIw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ