[Full-disclosure] [PLSA 2008-33] [UPDATED] Opensc: Security Bypass

From: PÄ±nar YanardaÄŸ <pinar_at_nospam>
Date: Sun Aug 31 2008 - 01:13:37 GMT
To: pardus-security@pardus.org.tr

Pardus Linux Security Advisory 2008-33 security@pardus.org.tr

Date: 2008-08-31 Severity: 2 Type: Remote ------------------------------------------------------------------------

Summary

[UPDATE]: Last security update with OpenSC 0.11.5 had a small glitch due to a strict check, so this version fixes that issue.

A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions.

Description

The security issue is caused due to the application improperly setting the ADMIN file control information to "00" while initializing smart cards having a Siemens CardOS M4 operating system. This can be exploited to change a user PIN code without having the PIN or PUK if the smart card was initialized with OpenSC.

Affected packages:

Pardus 2008:
opensc, all before 0.11.6-7-2

Resolution

There are update(s) for opensc. You can update them via Package Manager or with a single command from console:

pisi up opensc

References

-- PÄ±nar YanardaÄŸ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: n3td3v: "[Full-disclosure] Gustav, domain name reportage"
Previous message: PÄ±nar YanardaÄŸ: "[Full-disclosure] [PLSA 2008-32] Mono: Cross Site Scripting"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]