blob: ed0391baaafd1572e1c68d9d2e0997d6db237103 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200812-09">
<title>OpenSC: Insufficient protection of smart card PIN</title>
Smart cards formatted using OpenSC do not sufficiently protect the PIN,
allowing attackers to reset it.
<product type="ebuild">opensc</product>
<announced>December 10, 2008</announced>
<revised>December 10, 2008: 01</revised>
<package name="dev-libs/opensc" auto="yes" arch="*">
<unaffected range="ge">0.11.6</unaffected>
<vulnerable range="lt">0.11.6</vulnerable>
OpenSC is a smart card application that allows reading and writing via
Chaskiel M Grundman reported that OpenSC uses weak permissions (ADMIN
file control information of 00) for the 5015 directory on smart cards
and USB crypto tokens running Siemens CardOS M4.
<impact type="normal">
A physically proximate attacker can exploit this vulnerability to
change the PIN on a smart card and use it for authentication, leading
to privilege escalation.
There is no known workaround at this time.
All OpenSC users should upgrade to the latest version, and then check
and update their smart cards:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-libs/opensc-0.11.6&quot;
# pkcs15-tool --test-update
# pkcs15-tool --test-update --update</code>
<uri link="">CVE-2008-2235</uri>
<metadata tag="requester" timestamp="Wed, 26 Nov 2008 18:58:19 +0000">
<metadata tag="submitter" timestamp="Wed, 26 Nov 2008 19:57:21 +0000">
<metadata tag="bugReady" timestamp="Wed, 26 Nov 2008 19:57:53 +0000">