{"schema_version":"1.7.2","id":"OESA-2024-2245","modified":"2024-10-12T11:09:21Z","published":"2024-10-12T11:09:21Z","upstream":["CVE-2024-45615","CVE-2024-45616","CVE-2024-45617","CVE-2024-45618","CVE-2024-45619","CVE-2024-45620","CVE-2024-8443"],"summary":"opensc security update","details":"OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. \nThe problem is missing  initialization of variables expected to be initialized (as arguments to other functions, etc.).(CVE-2024-45615)\r\n\r\nA vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. \r\n\r\nThe following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.(CVE-2024-45616)\r\n\r\nA vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. \r\n\r\nInsufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.(CVE-2024-45617)\r\n\r\nA vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. \r\n\r\nInsufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.(CVE-2024-45618)\r\n\r\nA vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.(CVE-2024-45619)\r\n\r\nA vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.(CVE-2024-45620)\r\n\r\nA heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.(CVE-2024-8443)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP1","name":"opensc","purl":"pkg:rpm/openEuler/opensc\u0026distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.21.0-11.oe2203sp1"}]}],"ecosystem_specific":{"aarch64":["opensc-0.21.0-11.oe2203sp1.aarch64.rpm","opensc-debuginfo-0.21.0-11.oe2203sp1.aarch64.rpm","opensc-debugsource-0.21.0-11.oe2203sp1.aarch64.rpm"],"noarch":["opensc-help-0.21.0-11.oe2203sp1.noarch.rpm"],"src":["opensc-0.21.0-11.oe2203sp1.src.rpm"],"x86_64":["opensc-0.21.0-11.oe2203sp1.x86_64.rpm","opensc-debuginfo-0.21.0-11.oe2203sp1.x86_64.rpm","opensc-debugsource-0.21.0-11.oe2203sp1.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS","name":"opensc","purl":"pkg:rpm/openEuler/opensc\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.23.0-7.oe2403"}]}],"ecosystem_specific":{"aarch64":["opensc-0.23.0-7.oe2403.aarch64.rpm","opensc-debuginfo-0.23.0-7.oe2403.aarch64.rpm","opensc-debugsource-0.23.0-7.oe2403.aarch64.rpm","opensc-help-0.23.0-7.oe2403.aarch64.rpm"],"src":["opensc-0.23.0-7.oe2403.src.rpm"],"x86_64":["opensc-0.23.0-7.oe2403.x86_64.rpm","opensc-debuginfo-0.23.0-7.oe2403.x86_64.rpm","opensc-debugsource-0.23.0-7.oe2403.x86_64.rpm","opensc-help-0.23.0-7.oe2403.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"opensc","purl":"pkg:rpm/openEuler/opensc\u0026distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.21.0-11.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["opensc-0.21.0-11.oe2203sp4.aarch64.rpm","opensc-debuginfo-0.21.0-11.oe2203sp4.aarch64.rpm","opensc-debugsource-0.21.0-11.oe2203sp4.aarch64.rpm"],"noarch":["opensc-help-0.21.0-11.oe2203sp4.noarch.rpm"],"src":["opensc-0.21.0-11.oe2203sp4.src.rpm"],"x86_64":["opensc-0.21.0-11.oe2203sp4.x86_64.rpm","opensc-debuginfo-0.21.0-11.oe2203sp4.x86_64.rpm","opensc-debugsource-0.21.0-11.oe2203sp4.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"opensc","purl":"pkg:rpm/openEuler/opensc\u0026distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.21.0-11.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["opensc-0.21.0-11.oe2203sp3.aarch64.rpm","opensc-debuginfo-0.21.0-11.oe2203sp3.aarch64.rpm","opensc-debugsource-0.21.0-11.oe2203sp3.aarch64.rpm"],"noarch":["opensc-help-0.21.0-11.oe2203sp3.noarch.rpm"],"src":["opensc-0.21.0-11.oe2203sp3.src.rpm"],"x86_64":["opensc-0.21.0-11.oe2203sp3.x86_64.rpm","opensc-debuginfo-0.21.0-11.oe2203sp3.x86_64.rpm","opensc-debugsource-0.21.0-11.oe2203sp3.x86_64.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"opensc","purl":"pkg:rpm/openEuler/opensc\u0026distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.20.0-15.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["opensc-0.20.0-15.oe2003sp4.aarch64.rpm","opensc-debuginfo-0.20.0-15.oe2003sp4.aarch64.rpm","opensc-debugsource-0.20.0-15.oe2003sp4.aarch64.rpm"],"noarch":["opensc-help-0.20.0-15.oe2003sp4.noarch.rpm"],"src":["opensc-0.20.0-15.oe2003sp4.src.rpm"],"x86_64":["opensc-0.20.0-15.oe2003sp4.x86_64.rpm","opensc-debuginfo-0.20.0-15.oe2003sp4.x86_64.rpm","opensc-debugsource-0.20.0-15.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45615"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45616"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45617"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45618"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45619"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45620"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8443"}],"database_specific":{"severity":"Low"}}