pcsc-lite: arbitrary code execution
LWN published a message about "pcsc-lite: arbitrary code execution":
The description of the bug is correct (this time). But I am not sure it would be possible to execute arbitrary code. The ATR is still limited to MAX_ATR_SIZE=33 bytes.
The bug was fixed on 3rd November 2010 in revision 5370 more than a month before MWR published a InfoSecurity Security Advisory PCSC-Lite: pcscd ATR Handler Buffer Overflow on 13th December 2010.
Debian 6.0 was released just yesterday. The pcscd package in this version contains the fix.
pcsc-lite: arbitrary code execution
| Package(s): | pcsc-lite | CVE #(s): | CVE-2010-4531 | ||||||||||||||||||
| Created: | January 14, 2011 | Updated: | February 3, 2011 | ||||||||||||||||||
| Description: | From the Red Hat bugzilla: A stack-based buffer overflow flaw was found in the way PC/SC Lite smart card framework decoded certain attribute values of the Answer-to-Reset (ATR) message, received back from the card after connecting. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the pcscd daemon, via a malicious smart card inserted to the system USB port. |
||||||||||||||||||||
| Alerts: |
|
||||||||||||||||||||
The description of the bug is correct (this time). But I am not sure it would be possible to execute arbitrary code. The ATR is still limited to MAX_ATR_SIZE=33 bytes.
The bug was fixed on 3rd November 2010 in revision 5370 more than a month before MWR published a InfoSecurity Security Advisory PCSC-Lite: pcscd ATR Handler Buffer Overflow on 13th December 2010.
Debian 6.0 was released just yesterday. The pcscd package in this version contains the fix.