Out-of-Bounds Affecting opensc package, versions <0:0.19.0-5.amzn2


Severity

Recommended
0.0
medium
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.05% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-OPENSC-5740452
  • published27 Jun 2023
  • disclosed1 Jun 2023

Introduced: 1 Jun 2023

CVE-2023-2977  (opens in a new tab)
CWE-119  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 opensc to version 0:0.19.0-5.amzn2 or higher.
This issue was patched in ALAS2-2023-2102.

NVD Description

Note: Versions mentioned in the description apply only to the upstream opensc package and not the opensc package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

CVSS Scores

version 3.1