Pardus Linux Security Advisory - A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions.
5f2a2b3d0283b838e15c5e12ba9ccab3134fb5e185e2e38e881cf0869f083b2e
------------------------------------------------------------------------
Pardus Linux Security Advisory 2008-33 security@pardus.org.tr
------------------------------------------------------------------------
Date: 2008-08-31
Severity: 2
Type: Remote
------------------------------------------------------------------------
Summary
=======
[UPDATE]: Last security update with OpenSC 0.11.5 had a small glitch due
to a strict check, so this version fixes that issue.
A security issue has been reported in OpenSC, which can be exploited by malicious people
to bypass certain security restrictions.
Description
===========
The security issue is caused due to the application improperly setting
the ADMIN file control information to "00" while initializing smart
cards having a Siemens CardOS M4 operating system. This can be exploited
to change a user PIN code without having the PIN or PUK if the smart
card was initialized with OpenSC.
Affected packages:
Pardus 2008:
opensc, all before 0.11.6-7-2
Resolution
==========
There are update(s) for opensc. You can update them via Package Manager
or with a single command from console:
pisi up opensc
References
==========
* http://bugs.pardus.org.tr/show_bug.cgi?id=8066
* http://permalink.gmane.org/gmane.comp.security.oss.general/863
* http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2235
* http://secunia.com/advisories/31330
------------------------------------------------------------------------
--
Pınar Yanardağ
Pardus Security Team
http://security.pardus.org.tr