SB2022090706 - Gentoo update for OpenSC

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Double Free (CVE-ID: CVE-2021-42778)

The vulnerability allows an attacker with physical access to perform a denial of service attack.

The vulnerability exists due to a boundary error. An attacker with physical access can pass specially crafted data to the application, trigger double free error, and perform a denial of service attack.

2) Use-after-free (CVE-ID: CVE-2021-42779)

The vulnerability allows an attacker with physical access to perform a denial of service attack.

The vulnerability exists due to a use-after-free error in Opensc in sc_file_valid. An attacker with physical access can trigger use-after-free to perform a denial of service attack.

3) Unchecked Return Value (CVE-ID: CVE-2021-42780)

The vulnerability allows an attacker with physical access to perform denial of service attacks.

The vulnerability exists due to use after return issue in insert_pin() function in  Opensc. An attacker with physical access can trigger the vulnerability to perform denial of service attacks.

4) Heap-based buffer overflow (CVE-ID: CVE-2021-42781)

The vulnerability allows an attacker with physical access to perform denial of service attack.

The vulnerability exists due to a boundary error in Opensc before in pkcs15-oberthur.c. An attacker with physical access can pass specially crafted data to the application, trigger a heap-based buffer overflow and perform denial of service attack.

5) Stack-based buffer overflow (CVE-ID: CVE-2021-42782)

The vulnerability allows an attacker with physical access to perform a denial of service attack.

The vulnerability exists due to a boundary error in Opensc in various places. An attacker with physical access can trigger stack-based buffer overflow and perform a denial of service attack.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/202209-03