-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:189 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pcsc-lite Date : September 24, 2010 Affected: 2008.0, 2009.0, 2009.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in pcsc-lite: The MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 might allow local users to cause a denial of service (daemon crash) via crafted SCARD_SET_ATTRIB message data, which is improperly demarshalled and triggers a buffer over-read, a related issue to CVE-2010-0407 (CVE-2009-4901). Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4 and earlier might allow local users to gain privileges via crafted SCARD_CONTROL message data, which is improperly demarshalled. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0407 (CVE-2009-4902). Multiple buffer overflows in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 allow local users to gain privileges via crafted message data, which is improperly demarshalled (CVE-2010-0407). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4902 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0407 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 8542435bcf848ec4a758f08abb440de6 2008.0/i586/libpcsclite1-1.4.4-1.1mdv2008.0.i586.rpm b2cba2d308ce62f0db856cbeb397e579 2008.0/i586/libpcsclite-devel-1.4.4-1.1mdv2008.0.i586.rpm 91aa91411c7755f9fef3bc9d2247ae8d 2008.0/i586/libpcsclite-static-devel-1.4.4-1.1mdv2008.0.i586.rpm a9b3733633dea019f2604a3edaee1108 2008.0/i586/pcsc-lite-1.4.4-1.1mdv2008.0.i586.rpm f08e053f4969deef763e11fd6d66b408 2008.0/SRPMS/pcsc-lite-1.4.4-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 6e0f7e5e8069e5aa694de0b51d51e7f7 2008.0/x86_64/lib64pcsclite1-1.4.4-1.1mdv2008.0.x86_64.rpm ecb3d147a0989e9f11b6c21a99d78b00 2008.0/x86_64/lib64pcsclite-devel-1.4.4-1.1mdv2008.0.x86_64.rpm 217d8be73202d169f0749b586d2fc78d 2008.0/x86_64/lib64pcsclite-static-devel-1.4.4-1.1mdv2008.0.x86_64.rpm 5124ffac456d3ddcbe83c2cc20b3e65b 2008.0/x86_64/pcsc-lite-1.4.4-1.1mdv2008.0.x86_64.rpm f08e053f4969deef763e11fd6d66b408 2008.0/SRPMS/pcsc-lite-1.4.4-1.1mdv2008.0.src.rpm Mandriva Linux 2009.0: 9e6699c3b26d60127e0caaa1aa2289d2 2009.0/i586/libpcsclite1-1.4.102-1.1mdv2009.0.i586.rpm 72a1a3d5e01ed8345f265a77f4ea05dd 2009.0/i586/libpcsclite-devel-1.4.102-1.1mdv2009.0.i586.rpm 349726056604450832d18ebef0b719c0 2009.0/i586/libpcsclite-static-devel-1.4.102-1.1mdv2009.0.i586.rpm e87e4987d3fbf641f645b2009471f387 2009.0/i586/pcsc-lite-1.4.102-1.1mdv2009.0.i586.rpm 76334baf4d0a4c7e7269be6855aee4c2 2009.0/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 0ecec7927fddbf1791384667d4c2cb0f 2009.0/x86_64/lib64pcsclite1-1.4.102-1.1mdv2009.0.x86_64.rpm 628debd6fb07c332a72b836c165bcc8d 2009.0/x86_64/lib64pcsclite-devel-1.4.102-1.1mdv2009.0.x86_64.rpm ae015f03362f7399c9aba451f2f7fecd 2009.0/x86_64/lib64pcsclite-static-devel-1.4.102-1.1mdv2009.0.x86_64.rpm 64fbc7257cbfc5a18c1d3f63ab8860e8 2009.0/x86_64/pcsc-lite-1.4.102-1.1mdv2009.0.x86_64.rpm 76334baf4d0a4c7e7269be6855aee4c2 2009.0/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm Mandriva Linux 2009.1: f6fbc67ddacadd6e421fd68d02e12633 2009.1/i586/libpcsclite1-1.5.2-1.1mdv2009.1.i586.rpm a1ba1511fd5dd26573527ef50ce81b5e 2009.1/i586/libpcsclite-devel-1.5.2-1.1mdv2009.1.i586.rpm 4b9ba378d857ae48a846f00e286024e8 2009.1/i586/libpcsclite-static-devel-1.5.2-1.1mdv2009.1.i586.rpm 6a704dd4e7d8423d35db366dbf689cb7 2009.1/i586/pcsc-lite-1.5.2-1.1mdv2009.1.i586.rpm 01a7091c9fcf2337578c9caeebc87833 2009.1/SRPMS/pcsc-lite-1.5.2-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 613b7a63921e05a482fb4aae6a36d5cf 2009.1/x86_64/lib64pcsclite1-1.5.2-1.1mdv2009.1.x86_64.rpm 9dd66b08eb34e7fa8d00c569f0face33 2009.1/x86_64/lib64pcsclite-devel-1.5.2-1.1mdv2009.1.x86_64.rpm 8b7f3042144456046ac6a550d49466f7 2009.1/x86_64/lib64pcsclite-static-devel-1.5.2-1.1mdv2009.1.x86_64.rpm 8f4c9901adccf658a5edd7b88e735568 2009.1/x86_64/pcsc-lite-1.5.2-1.1mdv2009.1.x86_64.rpm 01a7091c9fcf2337578c9caeebc87833 2009.1/SRPMS/pcsc-lite-1.5.2-1.1mdv2009.1.src.rpm Mandriva Enterprise Server 5: 4194b2888cee96308009918fd78ec2e6 mes5/i586/libpcsclite1-1.4.102-1.1mdvmes5.1.i586.rpm 5fceb0986718f744abbd371129b38eba mes5/i586/libpcsclite-devel-1.4.102-1.1mdvmes5.1.i586.rpm f856c267204173af9fad236eac81c28f mes5/i586/libpcsclite-static-devel-1.4.102-1.1mdvmes5.1.i586.rpm 6d601e4b1d1168ebec78c5d945378e02 mes5/i586/pcsc-lite-1.4.102-1.1mdvmes5.1.i586.rpm 0b52ec2a75a79cdef80d31b6b55323d1 mes5/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm Mandriva Enterprise Server 5/X86_64: 245e8a6081254bacb173674d15594e98 mes5/x86_64/lib64pcsclite1-1.4.102-1.1mdvmes5.1.x86_64.rpm 315e276f89d1bd75105a2e40f2976b81 mes5/x86_64/lib64pcsclite-devel-1.4.102-1.1mdvmes5.1.x86_64.rpm 731b15c35ffe0872052578e9a25f3fa2 mes5/x86_64/lib64pcsclite-static-devel-1.4.102-1.1mdvmes5.1.x86_64.rpm ca6aa016db366b69b83ca08814a9636c mes5/x86_64/pcsc-lite-1.4.102-1.1mdvmes5.1.x86_64.rpm 0b52ec2a75a79cdef80d31b6b55323d1 mes5/SRPMS/pcsc-lite-1.4.102-1.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMnGzomqjQ0CJFipgRAmXTAKDITs6XSqDRd8Bm+jEKeBBi8VCnmgCdG3k7 73gkpAFx7zZqY3bL0t73fqA= =qjIw -----END PGP SIGNATURE-----