Bug 1150032 (CVE-2019-16058)

Summary: VUL-1: CVE-2019-16058: pam_p11: buffer overflow if a smart card creates a signature with a length longer than 256 bytes
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: carlos.lopez, kstreitova, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/241921/
Whiteboard: CVSSv3:SUSE:CVE-2019-16058:4.9:(AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-09-09 14:31:33 UTC

An issue was discovered in the pam_p11 component 0.2.0 and 0.3.0 for OpenSC. If
a smart card creates a signature with a length longer than 256 bytes, this
triggers a buffer overflow. This may be the case for RSA keys with 4096 bits
depending on the signature scheme.

Comment 1 Alexandros Toptsoglou 2019-09-09 14:39:00 UTC
Tracked as affected both SLE11 and SLE12
Comment 2 Jason Sikes 2022-09-09 01:42:22 UTC
This isn't an issue in SLE11 and SLE12.

A buffer with length of 256 is passed to PKCS11_sign() along with a pointer to the variable that holds the length of the buffer. The chain continues to C_Sign() in our opensc package.

Within C_Sign() the actual signature size is retrieved and then compared to the buffer size. If the buffer is too small to hold the signature then an error value is returned and the buffer is unchanged.

C_Sign() checks the buffer size in both:
* opensc-0.11.6 (SLE11) and:
* opensc-0.13.0 (SLE12).

Therefore, both SLE11 and SLE12 are not affected.

Assigning to @security-team
Comment 4 Carlos López 2022-09-16 12:43:57 UTC
Not affected, closing.