opensc

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Tools and libraries for smart cards
Version 0.22.0-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-1298 0.20.0-3 0.21.0-1 Medium Fixed FS#68195
AVG-1106 0.19.0-2 0.20.0-1 Medium Fixed FS#65082
Issue Group Severity Remote Type Description
CVE-2020-26572 AVG-1298 Medium No Arbitrary code execution
The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher.
CVE-2020-26571 AVG-1298 Medium No Arbitrary code execution
The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init.
CVE-2020-26570 AVG-1298 Medium No Arbitrary code execution
The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file.
CVE-2019-19481 AVG-1106 Medium No Denial of service
An issue was discovered in OpenSC before 0.20.0. libopensc/card-cac1.c mishandles buffer limits for CAC certificates, leading to an out-of- bounds read.
CVE-2019-19480 AVG-1106 Medium No Denial of service
An issue was discovered in OpenSC before 0.20.0. libopensc/pkcs15-prkey.c has an incorrect free operation in sc_pkcs15_decode_prkdf_entry.
CVE-2019-19479 AVG-1106 Medium No Denial of service
An issue was discovered in OpenSC before 0.20.0. libopensc/card- setcos.c has an incorrect read operation during parsing of a SETCOS file attribute.
CVE-2019-15946 AVG-1106 Medium No Denial of service
OpenSC before 0.20.0 has an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry in libopensc/asn1.c.
CVE-2019-15945 AVG-1106 Medium No Denial of service
OpenSC before 0.20.0 has an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string in libopensc/asn1.c.
CVE-2019-6502 AVG-1106 Medium No Denial of service
sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory leak, as demonstrated by a call from eidenv.

Advisories

Date Advisory Group Severity Type
26 Nov 2020 ASA-202011-27 AVG-1298 Medium arbitrary code execution
04 Mar 2020 ASA-202003-2 AVG-1106 Medium denial of service