-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Towards new release 0.25.0 #3017
Comments
Regarding the security relevant bugs reported by OSS-Fuzz, there are two issues
but they are both fixing previously reported and fixed fuzzing issues . From Coverity high impact issues, there are only problems connected to unit tests for PKCS#1 v1.5 depadding, fixed by #3016. |
Thanks for the summary, looks good so far!
If I understand correctly, then the original issue was a loss of memory. Since the use after free was not part of any release version, I'd rather fall back to the severity of the old issue (loss of memory, not security relevant)
This one seems noteworthy for the upcoming release, because the 6d1fcd9 was part of 0.24.0. However, it can only be triggered by a malicious card and during modification of the card. If we want to allocate a CVE for this, we could use the description of CVE-2023-40661 as template. |
I'd like to contribute to this release (and hopefully future ones!) by testing it with my Nitrokey Start and Pro tokens and updating the Release Testing wiki page accordingly. Hopefully that's useful :) I have a quick question though - I don't see any tags for 0.25 yet, should I wait for one, or just go ahead with a build off of |
Hi, @alt3r-3go , great to hear! We will update the table once we have created a release candidate. When that is done, you can extend the wiki (and the test result page) by making a pull request here https://github.com/OpenSC/Wiki |
The UAF could happen only, when the So I agree that it would make sense to get the CVE for this (with low priority as it only affects the enrollment). |
Here is the draft of the CVE: Memory use after free in AuthentIC driver when updating token infoThe Use After Free vulnerability was identified within the AuthentIC driver in OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls or modifies cards. An attacker must have physical access to the computer system to take advantage of this flaw. The attack requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can potentially allow for compromising card management operations during enrollment. References |
please also pick up the code signing of the Windows installer in the changelog (#2799) |
The release candidate 1 is out now https://github.com/OpenSC/OpenSC/releases/tag/0.25.0-rc1. We would appreciate further testing of rc1 (https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing); results can be added as PR to https://github.com/OpenSC/Wiki or shared as a comment on this issue. |
Here is the draft release notes for the upcoming release, feel free to adjust or let me know what is missing. Some of the project cards in https://github.com/OpenSC/OpenSC/projects/13 are still in progress, so I will adjust the draft eventually.
Security
General improvements
minidriver
pkcs11-tool
IDPrime
D-Trust Signature Cards
EstEID
ePass2003
SmartCard-HSM
MyEID
Rutoken
The text was updated successfully, but these errors were encountered: