Debian Bug report logs - #607780
ccid: buffer overflow

version graph

Package: ccid; Maintainer for ccid is Ludovic Rousseau <rousseau@debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Wed, 22 Dec 2010 04:12:02 UTC

Severity: important

Tags: security, upstream

Found in version 1.3.8-1

Fixed in versions ccid/1.3.11-2, 1.4.7-1

Done: Ludovic Rousseau <rousseau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Wed, 22 Dec 2010 04:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Wed, 22 Dec 2010 04:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: ccid: buffer overflow
Date: Tue, 21 Dec 2010 18:08:53 -0500
package: ccid
version: 1.3.8-1
severity: serious
tags: security

an advisory has been issued for the pcsc-lite ccid driver:
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf

i have checked that the vulnerable code is present in both lenny and
sid.

mike




Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Wed, 22 Dec 2010 17:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 607780@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Wed, 22 Dec 2010 17:54:03 GMT) Full text and rfc822 format available.

Message #10 received at 607780@bugs.debian.org (full text, mbox):

From: Ludovic Rousseau <ludovic.rousseau@gmail.com>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 607780@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#607780: ccid: buffer overflow
Date: Wed, 22 Dec 2010 18:51:33 +0100
severity 607780 important
tags 607780 upstream
thank

Le 22/12/2010 00:08, Michael Gilbert a écrit :
> package: ccid
> version: 1.3.8-1
> severity: serious
> tags: security
>
> an advisory has been issued for the pcsc-lite ccid driver:
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf

Thanks.

> i have checked that the vulnerable code is present in both lenny and

To trigger the bug the attacker needs to connect a serial reader to the 
host. And then needs to have a physical access to the computer.

To enable the serial reader the attacker needs to edit the file 
/etc/reader.conf and configure the use of the connected serial reader. 
So the attacker must have root access to trigger the buffer overflow.

I downgrade the severity to important. I don't think I will fix the bug 
for squeeze.

Bye

-- 
 Ludovic




Severity set to 'important' from 'serious' Request was from Ludovic Rousseau <ludovic.rousseau@gmail.com> to control@bugs.debian.org. (Wed, 22 Dec 2010 17:54:05 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from Ludovic Rousseau <ludovic.rousseau@gmail.com> to control@bugs.debian.org. (Wed, 22 Dec 2010 17:54:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Wed, 22 Dec 2010 19:45:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ludovic Rousseau <ludovic.rousseau@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Wed, 22 Dec 2010 19:45:12 GMT) Full text and rfc822 format available.

Message #19 received at 607780@bugs.debian.org (full text, mbox):

From: Ludovic Rousseau <ludovic.rousseau@gmail.com>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 607780@bugs.debian.org
Subject: Re: Bug#607780: ccid: buffer overflow
Date: Wed, 22 Dec 2010 20:41:29 +0100
Le 22/12/2010 00:08, Michael Gilbert a écrit :
> an advisory has been issued for the pcsc-lite ccid driver:
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf

CVE Request
http://www.openwall.com/lists/oss-security/2010/12/22/7

Date: Wed, 22 Dec 2010 13:55:08 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        Robert Relyea <rrelyea@...hat.com>
Subject: CVE Request -- 1, ccid -- int.overflow leading to array index error
 2, pcsc-lite stack-based buffer overflow in ATR decoder [was:
 CVE request: opensc buffer overflow ]

Hello Josh, Steve, vendors,

   Rafael Dominguez Vega of MWR InfoSecurity reported two more flaws 
related with smart cards:

   I), CCID: Integer overflow, leading to array index error when 
processing crafted serial number of certain cards

   Description:
   An integer overflow, leading to array index error was found
   in the way USB CCID (Chip/Smart Card Interface Devices) driver
   processed certain values of card serial number. A local attacker
   could use this flaw to execute arbitrary code, with the privileges
   of the user running the pcscd daemon, via a malicious smart card
   with specially-crafted value of its serial number, inserted to
   the system USB port.

   References:
   [1] 
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
   [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607780
   [3] https://bugzilla.redhat.com/show_bug.cgi?id=664986

   Upstream changesets:
   [4] 
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
   [5] 
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html


-- 
 Dr. Ludovic Rousseau




Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Thu, 23 Dec 2010 17:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Thu, 23 Dec 2010 17:18:03 GMT) Full text and rfc822 format available.

Message #24 received at 607780@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 607780@bugs.debian.org, 607781@bugs.debian.org
Subject: Re: Bug#607780: ccid: buffer overflow
Date: Thu, 23 Dec 2010 12:14:15 -0500
On Wed, 22 Dec 2010 18:51:33 +0100, Ludovic Rousseau wrote:
> To trigger the bug the attacker needs to connect a serial reader to the 
> host. And then needs to have a physical access to the computer.
> 
> To enable the serial reader the attacker needs to edit the file 
> /etc/reader.conf and configure the use of the connected serial reader. 
> So the attacker must have root access to trigger the buffer overflow.

An administrator making use of a serial card reader is likely to have
done this prior to the attacker having access to the reader.

> I downgrade the severity to important. I don't think I will fix the bug 
> for squeeze.

I don't want to blow things out of proportion, but these bugs
completely violate the security model that is intended by card readers.
So even though the exploit is difficult and requires local access, it is
a real issue and really needs to be fixed.

I don't want to play bts ping pong, but this really should be fixed for
squeeze (making it RC).  I suggest re-raising severity, and I will apply
the patches myself (since they're rather modest) if you aren't willing
to do so yourself. I'll also do an SPU for lenny.

Best wishes,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Fri, 24 Dec 2010 10:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to 607780@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Fri, 24 Dec 2010 10:00:07 GMT) Full text and rfc822 format available.

Message #29 received at 607780@bugs.debian.org (full text, mbox):

From: Ludovic Rousseau <ludovic.rousseau@gmail.com>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 607780@bugs.debian.org
Subject: Re: Bug#607780: ccid: buffer overflow
Date: Fri, 24 Dec 2010 10:59:08 +0100
Le 23/12/2010 18:14, Michael Gilbert a écrit :
> On Wed, 22 Dec 2010 18:51:33 +0100, Ludovic Rousseau wrote:
>> To trigger the bug the attacker needs to connect a serial reader to the
>> host. And then needs to have a physical access to the computer.
>>
>> To enable the serial reader the attacker needs to edit the file
>> /etc/reader.conf and configure the use of the connected serial reader.
>> So the attacker must have root access to trigger the buffer overflow.
>
> An administrator making use of a serial card reader is likely to have
> done this prior to the attacker having access to the reader.

Right.

>> I downgrade the severity to important. I don't think I will fix the bug
>> for squeeze.
>
> I don't want to blow things out of proportion, but these bugs
> completely violate the security model that is intended by card readers.
> So even though the exploit is difficult and requires local access, it is
> a real issue and really needs to be fixed.
>
> I don't want to play bts ping pong, but this really should be fixed for
> squeeze (making it RC).  I suggest re-raising severity, and I will apply
> the patches myself (since they're rather modest) if you aren't willing
> to do so yourself. I'll also do an SPU for lenny.

OK, got for the RC severity and NMU. I can't do the upload now myself.

The upstream corrective patches are in SVN revision 5381 and 5382.

http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004934.html
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004935.html

Thanks

-- 
 Dr. Ludovic Rousseau




Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Wed, 19 Jan 2011 22:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Wed, 19 Jan 2011 22:21:03 GMT) Full text and rfc822 format available.

Message #34 received at 607780@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 607780@bugs.debian.org, 607780-subscribe@bugs.debian.org
Subject: Re: Bug#607780: ccid: buffer overflow
Date: Wed, 19 Jan 2011 17:19:19 -0500
Are you also going to work on stable update or for this?  It also got a
CVE number:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4530

Best wishes,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Rousseau <rousseau@debian.org>:
Bug#607780; Package ccid. (Wed, 19 Jan 2011 22:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to 607780@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Ludovic Rousseau <rousseau@debian.org>. (Wed, 19 Jan 2011 22:30:05 GMT) Full text and rfc822 format available.

Message #39 received at 607780@bugs.debian.org (full text, mbox):

From: Ludovic Rousseau <ludovic.rousseau@gmail.com>
To: 607780@bugs.debian.org
Subject: Re: Bug#607780: ccid: buffer overflow
Date: Wed, 19 Jan 2011 23:27:39 +0100
Le 22/12/10 00:08, Michael Gilbert a écrit :
> package: ccid
> version: 1.3.8-1
> severity: serious
> tags: security
>
> an advisory has been issued for the pcsc-lite ccid driver:
> http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-libccid-buffer-overflow_2010-12-13.pdf
>
> i have checked that the vulnerable code is present in both lenny and
> sid.

This issue is also known as CVE-2010-4530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4530

-- 
 Dr. Ludovic Rousseau




Reply sent to Ludovic Rousseau <rousseau@debian.org>:
You have taken responsibility. (Sat, 22 Jan 2011 11:21:13 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 22 Jan 2011 11:21:13 GMT) Full text and rfc822 format available.

Message #44 received at 607780-close@bugs.debian.org (full text, mbox):

From: Ludovic Rousseau <rousseau@debian.org>
To: 607780-close@bugs.debian.org
Subject: Bug#607780: fixed in ccid 1.3.11-2
Date: Sat, 22 Jan 2011 11:17:07 +0000
Source: ccid
Source-Version: 1.3.11-2

We believe that the bug you reported is fixed in the latest version of
ccid, which is due to be installed in the Debian FTP archive:

ccid_1.3.11-2.diff.gz
  to main/c/ccid/ccid_1.3.11-2.diff.gz
ccid_1.3.11-2.dsc
  to main/c/ccid/ccid_1.3.11-2.dsc
libccid_1.3.11-2_amd64.deb
  to main/c/ccid/libccid_1.3.11-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607780@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Rousseau <rousseau@debian.org> (supplier of updated ccid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Jan 2011 11:52:56 +0100
Source: ccid
Binary: libccid
Architecture: source amd64
Version: 1.3.11-2
Distribution: unstable
Urgency: high
Maintainer: Ludovic Rousseau <rousseau@debian.org>
Changed-By: Ludovic Rousseau <rousseau@debian.org>
Description: 
 libccid    - PC/SC driver for USB CCID smart card readers
Closes: 607780
Changes: 
 ccid (1.3.11-2) unstable; urgency=high
 .
   * Fix CVE-2010-4530: Signedness error in ccid_serial.c
   * Closes: #607780 "ccid: buffer overflow"
Checksums-Sha1: 
 bc7c53864b2e3cb6592904ffb3700dbcaba2b1ff 1230 ccid_1.3.11-2.dsc
 0b68a59debadeb767a9ba9535fd256c918225d30 13697 ccid_1.3.11-2.diff.gz
 1fa506fd796f143baf794828adabd45300026138 109070 libccid_1.3.11-2_amd64.deb
Checksums-Sha256: 
 c3c08c595cd3219b934c223db4ae9bf456afcd0720b5bc3aeda3ca4a9401c453 1230 ccid_1.3.11-2.dsc
 84bb0b55229a9934a0c7ddbed2cb8ba2babab4f53757f60a9563cc16e5da9f5f 13697 ccid_1.3.11-2.diff.gz
 c783b200d9af6975ada5a93c11c86f674264200ab351b69853f81d9f8c320524 109070 libccid_1.3.11-2_amd64.deb
Files: 
 2782541e4d7f364b3deeeec288636901 1230 libs extra ccid_1.3.11-2.dsc
 f6d87719e320f2910f02545cd342e3fd 13697 libs extra ccid_1.3.11-2.diff.gz
 46cc0739ee26f41ab08b5db55c4477ef 109070 libs extra libccid_1.3.11-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk06uOYACgkQP0qKj+B/HPkfQACgkJdY+mFYgs9e1YCRy2EC+gU1
iTkAnAhBkf5nSQgMKo9JyfeuNkJSDKv2
=jxJ/
-----END PGP SIGNATURE-----





Marked as fixed in versions 1.4.7-1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Mon, 04 Nov 2013 15:36:12 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 Dec 2013 07:49:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:12:37 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.