CVE-2016-10109 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Privilege escalation
Description	The SCardReleaseContext function normally releases resources associated with the given handle (including "cardsList") and clients should cease using this handle. A malicious client can however make the daemon invoke SCardReleaseContext and continue issuing other commands that use "cardsList", resulting in a use-after-free. When SCardReleaseContext is invoked multiple times, it additionally results in a double-free of "cardsList". The issue allows a local attacker to cause a denial of service, but can potentially result in privilege escalation since the daemon is running as root while any local user can connect to the Unix socket. Fixed by patch "SCardReleaseContext: prevent use-after-free of cardsList" which is released with hpcsc-lite 1.8.20 on 30 December 2016.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-126	pcsclite	1.8.18-1	1.8.20-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
04 Jan 2017	ASA-201701-12	AVG-126	pcsclite	Medium	privilege escalation

References
https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22 http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20161226/000779.html http://marc.info/?l=oss-security&m=148345047107588

References

https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22
http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20161226/000779.html
http://marc.info/?l=oss-security&m=148345047107588