Ubuntu
opensc package

[Security] opensc OpenSC stores private data without proper access restrictions - CVE-2009-0368

Bug #603703 reported by Brian Thomason
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
opensc (Ubuntu)
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: opensc

Change the defaults of lock_login and soft_keygen_allowed to prevent untrusted applications from using the smartcard and preventing unexpected client side key generation.

CVE References

Brian Thomason (brian-thomason)
Changed in opensc (Ubuntu):
status: New → In Progress
assignee: nobody → Brian Thomason (brian-thomason)
Revision history for this message
Brian Thomason (brian-thomason) wrote :
Brian Thomason (brian-thomason)
Changed in opensc (Ubuntu):
status: In Progress → New
Marc Deslauriers (mdeslaur)
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK to the debdiff. It is being uploaded and will be released soon.

Changed in opensc (Ubuntu Jaunty):
status: New → Confirmed
importance: Undecided → Medium
Changed in opensc (Ubuntu):
assignee: Brian Thomason (brian-thomason) → nobody
Changed in opensc (Ubuntu Jaunty):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opensc - 0.11.4-5ubuntu1.1

---------------
opensc (0.11.4-5ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Fix insecure profile handling (LP: #603703)
  - modified src/pkcs15init/asepcos.profile, src/pkcs15init/cardos.profile,
    src/pkcs15init/cyberflex.profile, src/pkcs15init/flex.profile,
    src/pkcs15init/gpk.profile, src/pkcs15init/incrypto34.profile,
    src/pkcs15init/jcop.profile, src/pkcs15init/muscle.profile,
    src/pkcs15init/pkcs15-lib.c, src/pkcs15init/starcos.profile: Backport fix
    from upstream svn#3605. Fixes improper handling of private data in profiles
  - modified etc/opensc.conf.in, src/pkcs11/misc.c: Change the defaults of
    lock_login and soft_keygen_allowed to prevent untrusted applications
    from using the smartcard and preventing unexpected client side key
    generation.
    Patches provided by Debian in Lenny (DSA-1734-1)
  - CVE-2009-0368
 -- Brian Thomason <email address hidden> Fri, 09 Jul 2010 13:55:29 -0400

Changed in opensc (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in opensc (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.