An update for opensc is now available for openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2245 Final 1.0 1.0 2024-10-12 Initial 2024-10-12 2024-10-12 openEuler SA Tool V1.0 2024-10-12 opensc security update An update for opensc is now available for openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4 OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend. Security Fix(es): A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.).(CVE-2024-45615) A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.(CVE-2024-45616) A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.(CVE-2024-45617) A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.(CVE-2024-45618) A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.(CVE-2024-45619) A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.(CVE-2024-45620) A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.(CVE-2024-8443) An update for opensc is now available for openEuler-22.03-LTS-SP1,openEuler-24.03-LTS,openEuler-22.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Low opensc https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45615 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45616 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45617 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45618 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45619 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-45620 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-8443 https://nvd.nist.gov/vuln/detail/CVE-2024-45615 https://nvd.nist.gov/vuln/detail/CVE-2024-45616 https://nvd.nist.gov/vuln/detail/CVE-2024-45617 https://nvd.nist.gov/vuln/detail/CVE-2024-45618 https://nvd.nist.gov/vuln/detail/CVE-2024-45619 https://nvd.nist.gov/vuln/detail/CVE-2024-45620 https://nvd.nist.gov/vuln/detail/CVE-2024-8443 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 opensc-0.21.0-11.oe2203sp1.aarch64.rpm opensc-debuginfo-0.21.0-11.oe2203sp1.aarch64.rpm opensc-debugsource-0.21.0-11.oe2203sp1.aarch64.rpm opensc-0.23.0-7.oe2403.aarch64.rpm opensc-debuginfo-0.23.0-7.oe2403.aarch64.rpm opensc-debugsource-0.23.0-7.oe2403.aarch64.rpm opensc-help-0.23.0-7.oe2403.aarch64.rpm opensc-0.21.0-11.oe2203sp4.aarch64.rpm opensc-debuginfo-0.21.0-11.oe2203sp4.aarch64.rpm opensc-debugsource-0.21.0-11.oe2203sp4.aarch64.rpm opensc-0.21.0-11.oe2203sp3.aarch64.rpm opensc-debuginfo-0.21.0-11.oe2203sp3.aarch64.rpm opensc-debugsource-0.21.0-11.oe2203sp3.aarch64.rpm opensc-0.20.0-15.oe2003sp4.aarch64.rpm opensc-debuginfo-0.20.0-15.oe2003sp4.aarch64.rpm opensc-debugsource-0.20.0-15.oe2003sp4.aarch64.rpm opensc-0.21.0-11.oe2203sp1.src.rpm opensc-0.23.0-7.oe2403.src.rpm opensc-0.21.0-11.oe2203sp4.src.rpm opensc-0.21.0-11.oe2203sp3.src.rpm opensc-0.20.0-15.oe2003sp4.src.rpm opensc-0.21.0-11.oe2203sp1.x86_64.rpm opensc-debuginfo-0.21.0-11.oe2203sp1.x86_64.rpm opensc-debugsource-0.21.0-11.oe2203sp1.x86_64.rpm opensc-0.23.0-7.oe2403.x86_64.rpm opensc-debuginfo-0.23.0-7.oe2403.x86_64.rpm opensc-debugsource-0.23.0-7.oe2403.x86_64.rpm opensc-help-0.23.0-7.oe2403.x86_64.rpm opensc-0.21.0-11.oe2203sp4.x86_64.rpm opensc-debuginfo-0.21.0-11.oe2203sp4.x86_64.rpm opensc-debugsource-0.21.0-11.oe2203sp4.x86_64.rpm opensc-0.21.0-11.oe2203sp3.x86_64.rpm opensc-debuginfo-0.21.0-11.oe2203sp3.x86_64.rpm opensc-debugsource-0.21.0-11.oe2203sp3.x86_64.rpm opensc-0.20.0-15.oe2003sp4.x86_64.rpm opensc-debuginfo-0.20.0-15.oe2003sp4.x86_64.rpm opensc-debugsource-0.20.0-15.oe2003sp4.x86_64.rpm opensc-help-0.21.0-11.oe2203sp1.noarch.rpm opensc-help-0.21.0-11.oe2203sp4.noarch.rpm opensc-help-0.21.0-11.oe2203sp3.noarch.rpm opensc-help-0.20.0-15.oe2003sp4.noarch.rpm A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.). 2024-10-12 CVE-2024-45615 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.9 AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card. 2024-10-12 CVE-2024-45616 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.9 AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. 2024-10-12 CVE-2024-45617 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.9 AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. 2024-10-12 CVE-2024-45618 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.9 AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. 2024-10-12 CVE-2024-45619 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.9 AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. 2024-10-12 CVE-2024-45620 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.9 AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245 A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution. 2024-10-12 CVE-2024-8443 openEuler-22.03-LTS-SP1 openEuler-24.03-LTS openEuler-22.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-20.03-LTS-SP4 Low 3.4 AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N opensc security update 2024-10-12 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2245