I would like to update the status about the security issue of pcsc-lite also known as CVE-2010-0407. I presented the problem in pcsc-lite security advisory CVE-2010-0407
2 new CVE numbers
The fix in upstream revision 4208 was bogus. A fix of the fix is available in upstream revision 4334 and is included in pcsc-lite 1.5.5.
So even if pcsc-lite 1.5.4 do not have the security issue this version has a broken SCardControl() function. See Debian bug #585791 "Upgrading from pcscd_1.4.102-1_i386.deb to pcscd_1.4.102-1+lenny1_i386.deb broke my bankid application (digital signing internetbanking)".
The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 might allow local users to cause a denial of service (daemon crash) via crafted SCARD_SET_ATTRIB message data, which is improperly demarshalled and triggers a buffer over-read, a related issue to CVE-2010-0407.
Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4 and earlier might allow local users to gain privileges via crafted SCARD_CONTROL message data, which is improperly demarshalled. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0407.
Debian should have a fixed fixed version named 1.4.102-1+lenny3 soon.
The Red Hat bug 596426 indicates that:
- Red Hat Enterprise Linux 5 is not vulnerable because pcscd is confined in a restricted
SELinux domain (pcscd_t)
- pcsc-lite-1.5.2-4.fc12 has been submitted as an update for Fedora 12. And a Fedora Update Notification is available: [SECURITY] Fedora 12 Update: pcsc-lite-1.5.2-4.fc12
- pcsc-lite-1.5.2-3.fc11 has been submitted as an update for Fedora 11. And a Fedora Update Notification is available: [SECURITY] Fedora 11 Update: pcsc-lite-1.5.2-3.fc11
Still no news about Ubuntu, SUSE Linux and the other GNU/Linux, *BSD or Unix distributions.