Bug 1150032 - (CVE-2019-16058) VUL-1: CVE-2019-16058: pam_p11: buffer overflow if a smart card creates a signature with a length longer than 256 bytes
(CVE-2019-16058)
VUL-1: CVE-2019-16058: pam_p11: buffer overflow if a smart card creates a sig...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/241921/
CVSSv3:SUSE:CVE-2019-16058:4.9:(AV:P/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-09 14:31 UTC by Alexandros Toptsoglou
Modified: 2022-09-16 12:43 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-09-09 14:31:33 UTC
CVE-2019-16058

An issue was discovered in the pam_p11 component 0.2.0 and 0.3.0 for OpenSC. If
a smart card creates a signature with a length longer than 256 bytes, this
triggers a buffer overflow. This may be the case for RSA keys with 4096 bits
depending on the signature scheme.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16058
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16058.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16058
http://www.cvedetails.com/cve/CVE-2019-16058/
https://github.com/OpenSC/pam_p11/commit/d150b60e1e14c261b113f55681419ad1dfa8a76c
Comment 1 Alexandros Toptsoglou 2019-09-09 14:39:00 UTC
Tracked as affected both SLE11 and SLE12
Comment 2 Jason Sikes 2022-09-09 01:42:22 UTC
This isn't an issue in SLE11 and SLE12.

A buffer with length of 256 is passed to PKCS11_sign() along with a pointer to the variable that holds the length of the buffer. The chain continues to C_Sign() in our opensc package.

Within C_Sign() the actual signature size is retrieved and then compared to the buffer size. If the buffer is too small to hold the signature then an error value is returned and the buffer is unchanged.

C_Sign() checks the buffer size in both:
* opensc-0.11.6 (SLE11) and:
* opensc-0.13.0 (SLE12).

Therefore, both SLE11 and SLE12 are not affected.

Assigning to @security-team
Comment 4 Carlos López 2022-09-16 12:43:57 UTC
Not affected, closing.