Security update for opensc SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0565-1 Final 1 1 2021-04-16T18:05:41Z current 2021-04-16T18:05:41Z 2021-04-16T18:05:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for opensc This update for opensc fixes the following issues: - CVE-2019-15945: Fixed an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string (bsc#1149746). - CVE-2019-15946: Fixed an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry (bsc#1149747) - CVE-2019-19479: Fixed an incorrect read operation during parsing of a SETCOS file attribute (bsc#1158256) - CVE-2019-19480: Fixed an improper free operation in sc_pkcs15_decode_prkdf_entry (bsc#1158307). - CVE-2019-20792: Fixed a double free in coolkey_free_private_data (bsc#1170809). - CVE-2020-26570: Fixed a buffer overflow in sc_oberthur_read_file (bsc#1177364). - CVE-2020-26571: Fixed a stack-based buffer overflow in gemsafe GPK smart card software driver (bsc#1177380) - CVE-2020-26572: Fixed a stack-based buffer overflow in tcos_decipher (bsc#1177378). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-565 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ E-Mail link for openSUSE-SU-2021:0565-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1149746 SUSE Bug 1149746 https://bugzilla.suse.com/1149747 SUSE Bug 1149747 https://bugzilla.suse.com/1158256 SUSE Bug 1158256 https://bugzilla.suse.com/1158307 SUSE Bug 1158307 https://bugzilla.suse.com/1170809 SUSE Bug 1170809 https://bugzilla.suse.com/1177364 SUSE Bug 1177364 https://bugzilla.suse.com/1177378 SUSE Bug 1177378 https://bugzilla.suse.com/1177380 SUSE Bug 1177380 https://www.suse.com/security/cve/CVE-2019-15945/ SUSE CVE CVE-2019-15945 page https://www.suse.com/security/cve/CVE-2019-15946/ SUSE CVE CVE-2019-15946 page https://www.suse.com/security/cve/CVE-2019-19479/ SUSE CVE CVE-2019-19479 page https://www.suse.com/security/cve/CVE-2019-19480/ SUSE CVE CVE-2019-19480 page https://www.suse.com/security/cve/CVE-2019-20792/ SUSE CVE CVE-2019-20792 page https://www.suse.com/security/cve/CVE-2020-26570/ SUSE CVE CVE-2020-26570 page https://www.suse.com/security/cve/CVE-2020-26571/ SUSE CVE CVE-2020-26571 page https://www.suse.com/security/cve/CVE-2020-26572/ SUSE CVE CVE-2020-26572 page openSUSE Leap 15.2 opensc-0.19.0-lp152.3.3.1 opensc-32bit-0.19.0-lp152.3.3.1 opensc-0.19.0-lp152.3.3.1 as a component of openSUSE Leap 15.2 opensc-32bit-0.19.0-lp152.3.3.1 as a component of openSUSE Leap 15.2 OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string in libopensc/asn1.c. CVE-2019-15945 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2019-15945.html CVE-2019-15945 https://bugzilla.suse.com/1149746 SUSE Bug 1149746 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry in libopensc/asn1.c. CVE-2019-15946 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2019-15946.html CVE-2019-15946 https://bugzilla.suse.com/1149747 SUSE Bug 1149747 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-setcos.c has an incorrect read operation during parsing of a SETCOS file attribute. CVE-2019-19479 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2019-19479.html CVE-2019-19479 https://bugzilla.suse.com/1158256 SUSE Bug 1158256 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/pkcs15-prkey.c has an incorrect free operation in sc_pkcs15_decode_prkdf_entry. CVE-2019-19480 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2019-19480.html CVE-2019-19480 https://bugzilla.suse.com/1158307 SUSE Bug 1158307 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 OpenSC before 0.20.0 has a double free in coolkey_free_private_data because coolkey_add_object in libopensc/card-coolkey.c lacks a uniqueness check. CVE-2019-20792 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2019-20792.html CVE-2019-20792 https://bugzilla.suse.com/1170809 SUSE Bug 1170809 The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file. CVE-2020-26570 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2020-26570.html CVE-2020-26570 https://bugzilla.suse.com/1177364 SUSE Bug 1177364 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init. CVE-2020-26571 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2020-26571.html CVE-2020-26571 https://bugzilla.suse.com/1177380 SUSE Bug 1177380 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher. CVE-2020-26572 openSUSE Leap 15.2:opensc-0.19.0-lp152.3.3.1 openSUSE Leap 15.2:opensc-32bit-0.19.0-lp152.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JELZKRVEJGYE74DM3GTNHNTVZBQHK5DJ/ https://www.suse.com/security/cve/CVE-2020-26572.html CVE-2020-26572 https://bugzilla.suse.com/1177378 SUSE Bug 1177378 https://bugzilla.suse.com/1179291 SUSE Bug 1179291