'[oss-security] CVE Request -- 1, ccid -- int.overflow leading to array index error'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request -- 1, ccid -- int.overflow leading to array index error
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2010-12-22 12:55:08
Message-ID: 4D11F52C.6060900 () redhat ! com
[Download RAW message or body]

Hello Josh, Steve, vendors,

   Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws related with smart cards:

   I), CCID: Integer overflow, leading to array index error when processing crafted serial number of certain cards

   Description:
   An integer overflow, leading to array index error was found
   in the way USB CCID (Chip/Smart Card Interface Devices) driver
   processed certain values of card serial number. A local attacker
   could use this flaw to execute arbitrary code, with the privileges
   of the user running the pcscd daemon, via a malicious smart card
   with specially-crafted value of its serial number, inserted to
   the system USB port.

   References:
   [1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780
   [3] https://bugzilla.redhat.com/show_bug.cgi?id=664986

   Upstream changesets:
   [4] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
   [5] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html

   II), pcsc-lite: Stack-based buffer overflow in Answer-to-Reset (ATR) decoder

   Description:
   A stack-based buffer overflow flaw was found in the way
   PC/SC Lite smart card framework decoded certain attribute
   values of the Answer-to-Reset (ATR) message, received back
   from the card after connecting. A local attacker could
   use this flaw to execute arbitrary code with the privileges
   of the user running the pcscd daemon, via a malicious smart
   card inserted to the system USB port.

   References:
   [1] http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607781
   [3] http://www.vupen.com/english/advisories/2010/3264
   [4] https://bugzilla.redhat.com/show_bug.cgi?id=664999

   Upstream changeset:
   [5] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html

Could you allocate CVE ids for these two too?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic