Friday, June 11, 2010

pcsc-lite security advisory CVE-2010-0407

The problem


It is possible to trigger a buffer overflow in old versions of pcsc-lite, and possibly gain root access.

The bug is present in version 1.4.102 of pcsc-lite and has been corrected in revision 4208 (May 14 2009). This revision was included in pcsc-lite 1.5.4.

Debian


Debian published a DSA (Debian Security Advisory) DSA-2059-1 pcsc-lite -- buffer overflow about a vulnerability in pcsc-lite present in Debian stable.

Ubuntu


Ubuntu has not yet published a usn (Ubuntu security notices). Maybe because pcscd is part of universe and not main. But libpcsclite is part of main. Note that Ubuntu is vulnerable even in the latest version 10.04 LTS "Lucid Lynx"

Red Hat


Red Hat has an entry for the CVE on their security web site and on their bug tracking tool as bug 596426. Maybe a new package will be available soon.

SUSE Linux


I could not find information on the novell.com site. I don't even know what versions of pcsc-lite SUSE Linux Enterprise 11 is providing.

Other distributions


There are too many Unix distributions to mention them all. If you have pointers for a Unix system just add a comment and I will update the blog.


Flattr this