- ------------------------------------------------------------------------Debian Security Advisory DSA-1627-1                  security@debian.org
https://www.debian.org/security/                          Thijs Kinkhorst
August 04, 2008                       https://www.debian.org/security/faq
- ------------------------------------------------------------------------Package        : opensc
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2008-2235

Chaskiel M Grundman discovered that opensc, a library and utilities to
handle smart cards, would initialise smart cards with the Siemens CardOS M4
card operating system without proper access rights. This allowed everyone
to change the card's PIN.

With this bug anyone can change a user PIN without having the PIN or PUK
or the superusers PIN or PUK. However it can not be used to figure out the
PIN. If the PIN on your card is still the same you always had, there's a
resonable chance that this vulnerability has not been exploited.

This vulnerability affects only smart cards and USB crypto tokens based on
Siemens CardOS M4, and within that group only those that were initialised
with OpenSC. Users of other smart cards and USB crypto tokens, or cards
that have been initialised with some software other than OpenSC, are not

After upgrading the package, running
    pkcs15-tool -T
will show you whether the card is fine or vulnerable. If the card is
vulnerable, you need to update the security setting using:
    pkcs15-tool -T -U

For the stable distribution (etch), this problem has been fixed in
version 0.11.1-2etch1.

For the unstable distribution (sid), this problem has been fixed in
version 0.11.4-4.

We recommend that you upgrade your opensc 0.11.1-2etch1 package and check
your card(s) with the command described above.

Upgrade instructions
- --------------------wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------Source archives:

      Size/MD5 checksum:  1263611 94ce00a6bda38fac10ab06f5d5d1a8c3
      Size/MD5 checksum:    57052 1b58c5d799d40f645ef3b132c49ab383
      Size/MD5 checksum:      780 f80a316bdbee0c5132a6ac2200a864ca

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   296980 f58a8caa8c2df06057dc0f404798626d
      Size/MD5 checksum:   204944 25f4e7077d8e92da0e9f9a8c7a9f243c
      Size/MD5 checksum:   727608 12fcf66320b622e2f6887404709b5ab0
      Size/MD5 checksum:  1077824 44c113c23321766542c653f23cfa57a6
      Size/MD5 checksum:   508220 5853671ce35f9f9d3d9160bdbc715267

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   576890 ae517b1e8a6e10a0d284c86e470128a9
      Size/MD5 checksum:   281184 7685b2c13ea0cfe3314d13c1012ead33
      Size/MD5 checksum:   483262 ea2c9a29a9983d02709fe3fdab3639c7
      Size/MD5 checksum:  1069104 5c79b0e8705ed7c74eead212f3dff5fd
      Size/MD5 checksum:   199942 68a206307bc51ef6f0e3354f77c7b689

arm architecture (ARM)

      Size/MD5 checksum:   529872 6fcea50e6d9f2798e57b7a95a9d1b32b
      Size/MD5 checksum:   269136 4d0f5d069408f36662eea22a7162cc12
      Size/MD5 checksum:   450838 2f2a61d387035578e9cd2b470c15f3f5
      Size/MD5 checksum:   187912 48c8db0926a3b5086edd3858a7b3464f
      Size/MD5 checksum:  1012008 b2bcc27df4dd377837bc09187226728d

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   285644 720de4261275a635e21621a8608c2118
      Size/MD5 checksum:   623714 21e39736d446b2f4050e17e4c6a710f7
      Size/MD5 checksum:   512546 62a5924897c6a1758ab692497bc2a8c2
      Size/MD5 checksum:  1038638 8600b17317f3f078c4a4445a1a37bba3
      Size/MD5 checksum:   205342 998bf77a44c1c1bf1be8ec9dc37b198e

i386 architecture (Intel ia32)

      Size/MD5 checksum:   537914 6e8db96c6e3de77c23718d708e7747d2
      Size/MD5 checksum:  1019192 bddb42d3014a93863baf1fb4e48bcfb7
      Size/MD5 checksum:   453524 507bcea36e51a9631fccdfc5044661c9
      Size/MD5 checksum:   269964 512b8c22aa541eaf40bdc3d3e7b2f237
      Size/MD5 checksum:   189412 7a5548e7211d1f8042b8708f430a92f7

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   206076 3e8b1a0418c913959e2a48e34fed06f3
      Size/MD5 checksum:   620222 a1165f22cddd56615544ce237392eda4
      Size/MD5 checksum:  1062136 c2eeeef002ad6571456d92fa1564e1b2
      Size/MD5 checksum:   769856 6a3804060f63b820871b205497fc9043
      Size/MD5 checksum:   354050 3d2e9f1faf7b2c544e1318826b0491ed

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   282924 3026353e8112e756b5e9e8514841af67
      Size/MD5 checksum:  1082412 858fbe501e5e72f6067364b5dff7195b
      Size/MD5 checksum:   195460 4ebf2a7f1c25e2b7bc17e2299b95b2d2
      Size/MD5 checksum:   458348 82a2b52416de1a8908bf04f0deb62db0
      Size/MD5 checksum:   632910 0b4d7ef4c89e980879921adc2392874b

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   458278 0902a8dde43e0bcecb9d966e80e00291
      Size/MD5 checksum:   194500 2ae036fbea0d0020437d0e990536b3c6
      Size/MD5 checksum:  1060820 bf0dd90ca962d53dd4789984a01cc7ab
      Size/MD5 checksum:   629236 98ab63af49e09c44ee26ad83e980f29a
      Size/MD5 checksum:   284040 f12e0c356c392d0170d285f8666eeef0

powerpc architecture (PowerPC)

      Size/MD5 checksum:  1084198 9966426b32b6a6747d7f79f00ade7344
      Size/MD5 checksum:   294672 a313b6186b60d0e3c7bd37f0d3738ae0
      Size/MD5 checksum:   473704 b5c40173686be092cf90fcfccc5763e7
      Size/MD5 checksum:   205022 99ab0a4885629efe28af1d7046b504dc
      Size/MD5 checksum:   599442 eee9e4fab2c56dcdeaa04d772196492c

s390 architecture (IBM S/390)

      Size/MD5 checksum:   217036 cf802e53d194f69717ce8721a7ee6f9a
      Size/MD5 checksum:   279104 31883cd04da9c5706544fe4c5e360a4f
      Size/MD5 checksum:  1050042 c448e71485f71b7b286726a800192d36
      Size/MD5 checksum:   485444 209814eff30c6196f8c1e0120815e332
      Size/MD5 checksum:   552702 4ffd552997a712a682d3998875223896

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   442292 cdc730715c6dd526f5157a77aa3a0994
      Size/MD5 checksum:   268136 b2075866922a7287c4a688ce2e0db066
      Size/MD5 checksum:   544478 4027cd3c2d9c237db8071aa219bc33eb
      Size/MD5 checksum:   193598 c858bf19a633cb2581507a531f286e9d
      Size/MD5 checksum:   967876 a663e88eb2016cca21a8a13a495e36da

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------For apt-get: deb https://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Debian: New opensc packages fix smart card vulnerability

August 4, 2008
Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without p...