Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 1627-1] New opensc packages fix smart card vulnerabilit

From Thijs Kinkhorst@1:229/2 to All on Mon Aug 4 11:10:14 2008

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1627-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst
August 04, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : opensc
Vulnerability : programming error
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2008-2235

Chaskiel M Grundman discovered that opensc, a library and utilities to
handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone
to change the card's PIN.

With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a resonable chance that this vulnerability has not been exploited.

This vulnerability affects only smart cards and USB crypto tokens based on Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not affected.

After upgrading the package, running
pkcs15-tool -T
will show you whether the card is fine or vulnerable. If the card is vulnerable, you need to update the security setting using:
pkcs15-tool -T -U

For the stable distribution (etch), this problem has been fixed in
version 0.11.1-2etch1.

For the unstable distribution (sid), this problem has been fixed in
version 0.11.4-4.

We recommend that you upgrade your opensc 0.11.1-2etch1 package and check
your card(s) with the command described above.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1.orig.tar.gz
Size/MD5 checksum: 1263611 94ce00a6bda38fac10ab06f5d5d1a8c3
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1.diff.gz
Size/MD5 checksum: 57052 1b58c5d799d40f645ef3b132c49ab383
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1.dsc
Size/MD5 checksum: 780 f80a316bdbee0c5132a6ac2200a864ca

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_alpha.deb
Size/MD5 checksum: 296980 f58a8caa8c2df06057dc0f404798626d
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_alpha.deb
Size/MD5 checksum: 204944 25f4e7077d8e92da0e9f9a8c7a9f243c
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_alpha.deb
Size/MD5 checksum: 727608 12fcf66320b622e2f6887404709b5ab0
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_alpha.deb
Size/MD5 checksum: 1077824 44c113c23321766542c653f23cfa57a6
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_alpha.deb
Size/MD5 checksum: 508220 5853671ce35f9f9d3d9160bdbc715267

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_amd64.deb
Size/MD5 checksum: 576890 ae517b1e8a6e10a0d284c86e470128a9
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_amd64.deb
Size/MD5 checksum: 281184 7685b2c13ea0cfe3314d13c1012ead33
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_amd64.deb
Size/MD5 checksum: 483262 ea2c9a29a9983d02709fe3fdab3639c7
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_amd64.deb
Size/MD5 checksum: 1069104 5c79b0e8705ed7c74eead212f3dff5fd
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_amd64.deb
Size/MD5 checksum: 199942 68a206307bc51ef6f0e3354f77c7b689

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_arm.deb
Size/MD5 checksum: 529872 6fcea50e6d9f2798e57b7a95a9d1b32b
http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_arm.deb
Size/MD5 checksum: 269136 4d0f5d069408f36662eea22a7162cc12
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_arm.deb
Size/MD5 checksum: 450838 2f2a61d387035578e9cd2b470c15f3f5
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_arm.deb
Size/MD5 checksum: 187912 48c8db0926a3b5086edd3858a7b3464f
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_arm.deb
Size/MD5 checksum: 1012008 b2bcc27df4dd377837bc09187226728d

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/opensc/opensc_0.11.1-2etch1_hppa.deb
Size/MD5 checksum: 285644 720de4261275a635e21621a8608c2118
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_hppa.deb
Size/MD5 checksum: 623714 21e39736d446b2f4050e17e4c6a710f7
http://security.debian.org/pool/updates/main/o/opensc/libopensc2_0.11.1-2etch1_hppa.deb
Size/MD5 checksum: 512546 62a5924897c6a1758ab692497bc2a8c2
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_hppa.deb
Size/MD5 checksum: 1038638 8600b17317f3f078c4a4445a1a37bba3
http://security.debian.org/pool/updates/main/o/opensc/mozilla-opensc_0.11.1-2etch1_hppa.deb
Size/MD5 checksum: 205342 998bf77a44c1c1bf1be8ec9dc37b198e

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dev_0.11.1-2etch1_i386.deb
Size/MD5 checksum: 537914 6e8db96c6e3de77c23718d708e7747d2
http://security.debian.org/pool/updates/main/o/opensc/libopensc2-dbg_0.11.1-2etch1_i386.deb
Size/MD5 checksum: 1019192 bddb42d3014a93863baf1fb4e48bcfb7

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	148:38:58
Calls:	12,091
Calls today:	4
Files:	15,000
Messages:	6,517,560

[SECURITY] [DSA 1627-1] New opensc packages fix smart card vulnerabilit

Who's Online

Recent Visitors

System Info