Security update for opensc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0998-1 Final 1 1 2021-03-31T14:57:12Z current 2021-03-31T14:57:12Z 2021-03-31T14:57:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for opensc This update for opensc fixes the following issues: - CVE-2020-26571: gemsafe GPK smart card software driver stack-based buffer overflow (bsc#1177380) - CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry (bsc#1149747) - CVE-2019-15945: out-of-bounds access of an ASN.1 Bitstring in decode_bit_string (bsc#1149746) - CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (bsc#1158256) - CVE-2020-26572: Prevent out of bounds write (bsc#1177378) - CVE-2020-26570: Fix buffer overflow in sc_oberthur_read_file (bsc#1177364) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-998,SUSE-SLE-SERVER-12-SP5-2021-998 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ Link for SUSE-SU-2021:0998-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008574.html E-Mail link for SUSE-SU-2021:0998-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1149746 SUSE Bug 1149746 https://bugzilla.suse.com/1149747 SUSE Bug 1149747 https://bugzilla.suse.com/1158256 SUSE Bug 1158256 https://bugzilla.suse.com/1177364 SUSE Bug 1177364 https://bugzilla.suse.com/1177378 SUSE Bug 1177378 https://bugzilla.suse.com/1177380 SUSE Bug 1177380 https://www.suse.com/security/cve/CVE-2019-15945/ SUSE CVE CVE-2019-15945 page https://www.suse.com/security/cve/CVE-2019-15946/ SUSE CVE CVE-2019-15946 page https://www.suse.com/security/cve/CVE-2019-19479/ SUSE CVE CVE-2019-19479 page https://www.suse.com/security/cve/CVE-2020-26570/ SUSE CVE CVE-2020-26570 page https://www.suse.com/security/cve/CVE-2020-26571/ SUSE CVE CVE-2020-26571 page https://www.suse.com/security/cve/CVE-2020-26572/ SUSE CVE CVE-2020-26572 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 opensc-0.13.0-3.11.1 opensc-0.13.0-3.11.1 as a component of SUSE Linux Enterprise Server 12 SP5 opensc-0.13.0-3.11.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string in libopensc/asn1.c. CVE-2019-15945 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.11.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ https://www.suse.com/security/cve/CVE-2019-15945.html CVE-2019-15945 https://bugzilla.suse.com/1149746 SUSE Bug 1149746 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry in libopensc/asn1.c. CVE-2019-15946 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.11.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ https://www.suse.com/security/cve/CVE-2019-15946.html CVE-2019-15946 https://bugzilla.suse.com/1149747 SUSE Bug 1149747 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-setcos.c has an incorrect read operation during parsing of a SETCOS file attribute. CVE-2019-19479 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.11.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N 4.3 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ https://www.suse.com/security/cve/CVE-2019-19479.html CVE-2019-19479 https://bugzilla.suse.com/1158256 SUSE Bug 1158256 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 has a heap-based buffer overflow in sc_oberthur_read_file. CVE-2020-26570 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.11.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ https://www.suse.com/security/cve/CVE-2020-26570.html CVE-2020-26570 https://bugzilla.suse.com/1177364 SUSE Bug 1177364 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init. CVE-2020-26571 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.11.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ https://www.suse.com/security/cve/CVE-2020-26571.html CVE-2020-26571 https://bugzilla.suse.com/1177380 SUSE Bug 1177380 https://bugzilla.suse.com/1179291 SUSE Bug 1179291 The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a stack-based buffer overflow in tcos_decipher. CVE-2020-26572 SUSE Linux Enterprise Server 12 SP5:opensc-0.13.0-3.11.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:opensc-0.13.0-3.11.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210998-1/ https://www.suse.com/security/cve/CVE-2020-26572.html CVE-2020-26572 https://bugzilla.suse.com/1177378 SUSE Bug 1177378 https://bugzilla.suse.com/1179291 SUSE Bug 1179291