Security update for opensc

Announcement ID:	SUSE-SU-2022:1041-1
Rating:	important
References:	bsc#1114649 bsc#1122756 bsc#1149746 bsc#1149747 bsc#1158256 bsc#1158305 bsc#1170809 bsc#1177364 bsc#1177378 bsc#1177380 bsc#1191957 bsc#1191992 bsc#1192000 bsc#1192005
Cross-References:	CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2019-19481 CVE-2019-20792 CVE-2019-6502 CVE-2020-26570 CVE-2020-26571 CVE-2020-26572 CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782
CVSS scores:	CVE-2019-15945 ( SUSE ): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2019-15945 ( NVD ): 6.4 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15945 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15946 ( SUSE ): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2019-15946 ( NVD ): 6.4 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15946 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-19479 ( SUSE ): 4.3 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2019-19479 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19481 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2019-19481 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-20792 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-20792 ( NVD ): 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-6502 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-6502 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26570 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26570 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26571 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26571 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26572 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26572 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-42779 ( SUSE ): 4.2 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-42779 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-42780 ( SUSE ): 2.0 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-42780 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-42781 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-42781 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-42782 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-42782 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:	SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise High Performance Computing 15 LTSS 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 LTSS 15 SUSE Linux Enterprise Server ESPOS 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves 13 vulnerabilities and has one security fix can now be installed.

Description:

This update for opensc fixes the following issues:

Security issues fixed:

• CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005).
• CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992).
• CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000).
• CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957).
• CVE-2019-6502: Fixed a memory leak in sc_context_create() (bsc#1122756).
• CVE-2020-26570: Fixed a heap based buffer overflow in sc_oberthur_read_file (bsc#1177364).
• CVE-2020-26572: Prevent out of bounds write (bsc#1177378)
• CVE-2020-26571: gemsafe GPK smart card software driver stack-based buffer overflow (bsc#1177380)
• CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry (bsc#1149747)
• CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (bsc#1158256)
• CVE-2019-15945: Fixed an out-of-bounds access of an ASN.1 Bitstring in decode_bit_string (bsc#1149746).
• CVE-2019-19481: Fixed an improper handling of buffer limits for CAC certificates (bsc#1158305).
• CVE-2019-20792: Fixed a double free in coolkey_free_private_data (bsc#1170809).

Non-security issues fixed:

• Fixes segmentation fault in 'pkcs11-tool.c'. (bsc#1114649)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server ESPOS 15
  zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1041=1
• SUSE Linux Enterprise High Performance Computing 15 LTSS 15
  zypper in -t patch SUSE-SLE-Product-HPC-15-2022-1041=1
• SUSE Linux Enterprise Server 15 LTSS 15
  zypper in -t patch SUSE-SLE-Product-SLES-15-2022-1041=1
• SUSE Linux Enterprise Server for SAP Applications 15
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-1041=1

Package List:

• SUSE Linux Enterprise Server ESPOS 15 (aarch64 x86_64)
  • opensc-0.18.0-150000.3.23.1
  • opensc-debuginfo-0.18.0-150000.3.23.1
  • opensc-debugsource-0.18.0-150000.3.23.1
• SUSE Linux Enterprise High Performance Computing 15 LTSS 15 (aarch64 x86_64)
  • opensc-0.18.0-150000.3.23.1
  • opensc-debuginfo-0.18.0-150000.3.23.1
  • opensc-debugsource-0.18.0-150000.3.23.1
• SUSE Linux Enterprise Server 15 LTSS 15 (aarch64 ppc64le s390x x86_64)
  • opensc-0.18.0-150000.3.23.1
  • opensc-debuginfo-0.18.0-150000.3.23.1
  • opensc-debugsource-0.18.0-150000.3.23.1
• SUSE Linux Enterprise Server for SAP Applications 15 (ppc64le x86_64)
  • opensc-0.18.0-150000.3.23.1
  • opensc-debuginfo-0.18.0-150000.3.23.1
  • opensc-debugsource-0.18.0-150000.3.23.1

References:

• https://www.suse.com/security/cve/CVE-2019-15945.html
• https://www.suse.com/security/cve/CVE-2019-15946.html
• https://www.suse.com/security/cve/CVE-2019-19479.html
• https://www.suse.com/security/cve/CVE-2019-19481.html
• https://www.suse.com/security/cve/CVE-2019-20792.html
• https://www.suse.com/security/cve/CVE-2019-6502.html
• https://www.suse.com/security/cve/CVE-2020-26570.html
• https://www.suse.com/security/cve/CVE-2020-26571.html
• https://www.suse.com/security/cve/CVE-2020-26572.html
• https://www.suse.com/security/cve/CVE-2021-42779.html
• https://www.suse.com/security/cve/CVE-2021-42780.html
• https://www.suse.com/security/cve/CVE-2021-42781.html
• https://www.suse.com/security/cve/CVE-2021-42782.html
• https://bugzilla.suse.com/show_bug.cgi?id=1114649
• https://bugzilla.suse.com/show_bug.cgi?id=1122756
• https://bugzilla.suse.com/show_bug.cgi?id=1149746
• https://bugzilla.suse.com/show_bug.cgi?id=1149747
• https://bugzilla.suse.com/show_bug.cgi?id=1158256
• https://bugzilla.suse.com/show_bug.cgi?id=1158305
• https://bugzilla.suse.com/show_bug.cgi?id=1170809
• https://bugzilla.suse.com/show_bug.cgi?id=1177364
• https://bugzilla.suse.com/show_bug.cgi?id=1177378
• https://bugzilla.suse.com/show_bug.cgi?id=1177380
• https://bugzilla.suse.com/show_bug.cgi?id=1191957
• https://bugzilla.suse.com/show_bug.cgi?id=1191992
• https://bugzilla.suse.com/show_bug.cgi?id=1192000
• https://bugzilla.suse.com/show_bug.cgi?id=1192005