Monday, February 7, 2011

pcsc-lite: arbitrary code execution

LWN published a message about "pcsc-lite: arbitrary code execution":

pcsc-lite: arbitrary code execution

Package(s):pcsc-lite CVE #(s):CVE-2010-4531
Created:January 14, 2011 Updated:February 3, 2011
Description: From the Red Hat bugzilla:
A stack-based buffer overflow flaw was found in the way
PC/SC Lite smart card framework decoded certain attribute
values of the Answer-to-Reset (ATR) message, received back
from the card after connecting. A local attacker could
use this flaw to execute arbitrary code with the privileges
of the user running the pcscd daemon, via a malicious smart
card inserted to the system USB port.
Fedora FEDORA-2011-0164 2011-01-05
Fedora FEDORA-2011-0123 2011-01-05
Mandriva MDVSA-2011:015 2011-01-20
Debian DSA-2156-1 2011-01-31
openSUSE openSUSE-SU-2011:0092-1 2011-02-02
Pardus 2011-24 2011-02-02

The description of the bug is correct (this time). But I am not sure it would be possible to execute arbitrary code. The ATR is still limited to MAX_ATR_SIZE=33 bytes.

The bug was fixed on 3rd November 2010 in revision 5370 more than a month before MWR published a InfoSecurity Security Advisory PCSC-Lite: pcscd ATR Handler Buffer Overflow on 13th December 2010.

Debian 6.0 was released just yesterday. The pcscd package in this version contains the fix.

Flattr this