opensc-0.25.1-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:14382-1 Final 1 1 2024-10-02T00:00:00Z current 2024-10-02T00:00:00Z 2024-10-02T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z opensc-0.25.1-2.1 on GA media These are all security issues fixed in the opensc-0.25.1-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-14382 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ E-Mail link for openSUSE-SU-2024:14382-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-45615/ SUSE CVE CVE-2024-45615 page https://www.suse.com/security/cve/CVE-2024-45616/ SUSE CVE CVE-2024-45616 page https://www.suse.com/security/cve/CVE-2024-45617/ SUSE CVE CVE-2024-45617 page https://www.suse.com/security/cve/CVE-2024-45618/ SUSE CVE CVE-2024-45618 page https://www.suse.com/security/cve/CVE-2024-45619/ SUSE CVE CVE-2024-45619 page https://www.suse.com/security/cve/CVE-2024-45620/ SUSE CVE CVE-2024-45620 page https://www.suse.com/security/cve/CVE-2024-8443/ SUSE CVE CVE-2024-8443 page openSUSE Tumbleweed opensc-0.25.1-2.1 opensc-bash-completion-0.25.1-2.1 opensc-0.25.1-2.1 as a component of openSUSE Tumbleweed opensc-bash-completion-0.25.1-2.1 as a component of openSUSE Tumbleweed A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.). CVE-2024-45615 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-45615.html CVE-2024-45615 https://bugzilla.suse.com/1230071 SUSE Bug 1230071 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card. CVE-2024-45616 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-45616.html CVE-2024-45616 https://bugzilla.suse.com/1230072 SUSE Bug 1230072 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. CVE-2024-45617 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-45617.html CVE-2024-45617 https://bugzilla.suse.com/1230073 SUSE Bug 1230073 A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. CVE-2024-45618 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-45618.html CVE-2024-45618 https://bugzilla.suse.com/1230074 SUSE Bug 1230074 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. CVE-2024-45619 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-45619.html CVE-2024-45619 https://bugzilla.suse.com/1230075 SUSE Bug 1230075 A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. CVE-2024-45620 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-45620.html CVE-2024-45620 https://bugzilla.suse.com/1230076 SUSE Bug 1230076 A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution. CVE-2024-8443 openSUSE Tumbleweed:opensc-0.25.1-2.1 openSUSE Tumbleweed:opensc-bash-completion-0.25.1-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IBFHLYOZRTV2LJKPK5IKLVFJCY2NEU5F/ https://www.suse.com/security/cve/CVE-2024-8443.html CVE-2024-8443 https://bugzilla.suse.com/1230364 SUSE Bug 1230364