Security update for opensc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3443-1 Final 1 1 2024-09-25T16:11:01Z current 2024-09-25T16:11:01Z 2024-09-25T16:11:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for opensc This update for opensc fixes the following issues: - CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init. (bsc#1230076) - CVE-2024-45619: Incorrect handling length of buffers or files in libopensc. (bsc#1230075) - CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init. (bsc#1230074) - CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc. (bsc#1230073) - CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc. (bsc#1230072) - CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init. (bsc#1230071) - CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key. (bsc#1230364) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-3443,SUSE-SLE-SERVER-12-SP5-2024-3443 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ Link for SUSE-SU-2024:3443-1 https://lists.suse.com/pipermail/sle-updates/2024-September/037064.html E-Mail link for SUSE-SU-2024:3443-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1217722 SUSE Bug 1217722 https://bugzilla.suse.com/1230071 SUSE Bug 1230071 https://bugzilla.suse.com/1230072 SUSE Bug 1230072 https://bugzilla.suse.com/1230073 SUSE Bug 1230073 https://bugzilla.suse.com/1230074 SUSE Bug 1230074 https://bugzilla.suse.com/1230075 SUSE Bug 1230075 https://bugzilla.suse.com/1230076 SUSE Bug 1230076 https://bugzilla.suse.com/1230364 SUSE Bug 1230364 https://www.suse.com/security/cve/CVE-2024-45615/ SUSE CVE CVE-2024-45615 page https://www.suse.com/security/cve/CVE-2024-45616/ SUSE CVE CVE-2024-45616 page https://www.suse.com/security/cve/CVE-2024-45617/ SUSE CVE CVE-2024-45617 page https://www.suse.com/security/cve/CVE-2024-45618/ SUSE CVE CVE-2024-45618 page https://www.suse.com/security/cve/CVE-2024-45619/ SUSE CVE CVE-2024-45619 page https://www.suse.com/security/cve/CVE-2024-45620/ SUSE CVE CVE-2024-45620 page https://www.suse.com/security/cve/CVE-2024-8443/ SUSE CVE CVE-2024-8443 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 opensc-0.13.0-3.31.1 opensc-0.13.0-3.31.1 as a component of SUSE Linux Enterprise Server 12 SP5 opensc-0.13.0-3.31.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.). CVE-2024-45615 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-45615.html CVE-2024-45615 https://bugzilla.suse.com/1230071 SUSE Bug 1230071 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card. CVE-2024-45616 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-45616.html CVE-2024-45616 https://bugzilla.suse.com/1230072 SUSE Bug 1230072 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. CVE-2024-45617 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-45617.html CVE-2024-45617 https://bugzilla.suse.com/1230073 SUSE Bug 1230073 A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. CVE-2024-45618 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-45618.html CVE-2024-45618 https://bugzilla.suse.com/1230074 SUSE Bug 1230074 A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. CVE-2024-45619 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-45619.html CVE-2024-45619 https://bugzilla.suse.com/1230075 SUSE Bug 1230075 A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed. CVE-2024-45620 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-45620.html CVE-2024-45620 https://bugzilla.suse.com/1230076 SUSE Bug 1230076 A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution. CVE-2024-8443 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.31.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.31.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243443-1/ https://www.suse.com/security/cve/CVE-2024-8443.html CVE-2024-8443 https://bugzilla.suse.com/1230364 SUSE Bug 1230364