Security update for opensc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:3621-1 Final 1 1 2018-11-05T16:59:27Z current 2018-11-05T16:59:27Z 2018-11-05T16:59:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for opensc This update for opensc fixes the following issues: - CVE-2018-16391: Fixed a denial of service when handling responses from a Muscle Card (bsc#1106998) - CVE-2018-16392: Fixed a denial of service when handling responses from a TCOS Card (bsc#1106999) - CVE-2018-16393: Fixed buffer overflows when handling responses from Gemsafe V1 Smartcards (bsc#1108318) - CVE-2018-16418: Fixed buffer overflow when handling string concatenation in util_acl_to_str (bsc#1107039) - CVE-2018-16419: Fixed several buffer overflows when handling responses from a Cryptoflex card (bsc#1107107) - CVE-2018-16422: Fixed single byte buffer overflow when handling responses from an esteid Card (bsc#1107038) - CVE-2018-16423: Fixed double free when handling responses from a smartcard (bsc#1107037) - CVE-2018-16427: Fixed out of bounds reads when handling responses in OpenSC (bsc#1107033) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-opensc-13856,slessp4-opensc-13856 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ Link for SUSE-SU-2018:3621-1 https://lists.suse.com/pipermail/sle-security-updates/2018-November/004829.html E-Mail link for SUSE-SU-2018:3621-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1104812 SUSE Bug 1104812 https://bugzilla.suse.com/1106998 SUSE Bug 1106998 https://bugzilla.suse.com/1106999 SUSE Bug 1106999 https://bugzilla.suse.com/1107033 SUSE Bug 1107033 https://bugzilla.suse.com/1107037 SUSE Bug 1107037 https://bugzilla.suse.com/1107038 SUSE Bug 1107038 https://bugzilla.suse.com/1107039 SUSE Bug 1107039 https://bugzilla.suse.com/1107107 SUSE Bug 1107107 https://bugzilla.suse.com/1108318 SUSE Bug 1108318 https://www.suse.com/security/cve/CVE-2018-16391/ SUSE CVE CVE-2018-16391 page https://www.suse.com/security/cve/CVE-2018-16392/ SUSE CVE CVE-2018-16392 page https://www.suse.com/security/cve/CVE-2018-16393/ SUSE CVE CVE-2018-16393 page https://www.suse.com/security/cve/CVE-2018-16418/ SUSE CVE CVE-2018-16418 page https://www.suse.com/security/cve/CVE-2018-16419/ SUSE CVE CVE-2018-16419 page https://www.suse.com/security/cve/CVE-2018-16422/ SUSE CVE CVE-2018-16422 page https://www.suse.com/security/cve/CVE-2018-16423/ SUSE CVE CVE-2018-16423 page https://www.suse.com/security/cve/CVE-2018-16427/ SUSE CVE CVE-2018-16427 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 opensc-devel-0.11.6-5.27.3.1 libopensc2-0.11.6-5.27.3.1 libopensc2-32bit-0.11.6-5.27.3.1 libopensc2-x86-0.11.6-5.27.3.1 opensc-0.11.6-5.27.3.1 opensc-32bit-0.11.6-5.27.3.1 opensc-x86-0.11.6-5.27.3.1 libopensc2-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 libopensc2-32bit-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 libopensc2-x86-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 opensc-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 opensc-32bit-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 opensc-x86-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server 11 SP4 libopensc2-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libopensc2-32bit-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libopensc2-x86-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 opensc-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 opensc-32bit-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 opensc-x86-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 opensc-devel-0.11.6-5.27.3.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16391 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16391.html CVE-2018-16391 https://bugzilla.suse.com/1106998 SUSE Bug 1106998 Several buffer overflows when handling responses from a TCOS Card in tcos_select_file in libopensc/card-tcos.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16392 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16392.html CVE-2018-16392 https://bugzilla.suse.com/1106999 SUSE Bug 1106999 Several buffer overflows when handling responses from a Gemsafe V1 Smartcard in gemsafe_get_cert_len in libopensc/pkcs15-gemsafeV1.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16393 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16393.html CVE-2018-16393 https://bugzilla.suse.com/1108318 SUSE Bug 1108318 A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16418 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16418.html CVE-2018-16418 https://bugzilla.suse.com/1107039 SUSE Bug 1107039 Several buffer overflows when handling responses from a Cryptoflex card in read_public_key in tools/cryptoflex-tool.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16419 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16419.html CVE-2018-16419 https://bugzilla.suse.com/1107107 SUSE Bug 1107107 A single byte buffer overflow when handling responses from an esteid Card in sc_pkcs15emu_esteid_init in libopensc/pkcs15-esteid.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16422 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16422.html CVE-2018-16422 https://bugzilla.suse.com/1107038 SUSE Bug 1107038 A double free when handling responses from a smartcard in sc_file_set_sec_attr in libopensc/sc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-16423 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16423.html CVE-2018-16423 https://bugzilla.suse.com/1107037 SUSE Bug 1107037 Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs. CVE-2018-16427 SUSE Linux Enterprise Server 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libopensc2-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-32bit-0.11.6-5.27.3.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:opensc-x86-0.11.6-5.27.3.1 SUSE Linux Enterprise Software Development Kit 11 SP4:opensc-devel-0.11.6-5.27.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183621-1/ https://www.suse.com/security/cve/CVE-2018-16427.html CVE-2018-16427 https://bugzilla.suse.com/1107033 SUSE Bug 1107033