Bug 1158256 - (CVE-2019-19479) VUL-1: CVE-2019-19479: opensc: incorrect read operation during parsing of a SETCOS file attribute
(CVE-2019-19479)
VUL-1: CVE-2019-19479: opensc: incorrect read operation during parsing of a S...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/248185/
CVSSv3.1:SUSE:CVE-2019-19479:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-03 09:29 UTC by Alexandros Toptsoglou
Modified: 2022-09-20 11:26 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-12-03 09:29:26 UTC
CVE-2019-19479

An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-setcos.c
has an incorrect read operation during parsing of a SETCOS file attribute.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19479
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19479.html
Comment 1 Alexandros Toptsoglou 2019-12-03 09:32:21 UTC
The commit that fixes the issue[1] seems to apply to the following codestreams:
SLE11
SLE12
SLE15
SLE15-SP1  
Thus, they are tracked as affected. 

It seems that there is additional information at [2] but currently I do not have access. 

[1] https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2#diff-b2dac517a044cf08bbc58f3543aa9582
[2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693
Comment 4 Jason Sikes 2021-03-22 18:32:48 UTC
| stream                 | patch                              | request |
|------------------------+------------------------------------+---------|
| SUSE:SLE-15-SP1:Update | opensc-0_19_0-CVE-2019-19479.patch |  238388 |
| SUSE:SLE-15:Update     | opensc-0_18_0-CVE-2019-19479.patch |  238394 |
| SUSE:SLE-12:Update     | opensc-0_13_0-CVE-2019-19479.patch |  238395 |
| SUSE:SLE-11:Update     | opensc-0_11_6-CVE-2019-19479.patch |  238396 |
Comment 5 Swamp Workflow Management 2021-03-31 19:17:13 UTC
SUSE-SU-2021:0998-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149746,1149747,1158256,1177364,1177378,1177380
CVE References: CVE-2019-15945,CVE-2019-15946,CVE-2019-19479,CVE-2020-26570,CVE-2020-26571,CVE-2020-26572
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    opensc-0.13.0-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-04-13 16:22:35 UTC
SUSE-SU-2021:1168-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149746,1149747,1158256,1158307,1170809,1177364,1177378,1177380
CVE References: CVE-2019-15945,CVE-2019-15946,CVE-2019-19479,CVE-2019-19480,CVE-2019-20792,CVE-2020-26570,CVE-2020-26571,CVE-2020-26572
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    opensc-0.19.0-3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    opensc-0.19.0-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-04-16 22:17:54 UTC
openSUSE-SU-2021:0565-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1149746,1149747,1158256,1158307,1170809,1177364,1177378,1177380
CVE References: CVE-2019-15945,CVE-2019-15946,CVE-2019-19479,CVE-2019-19480,CVE-2019-20792,CVE-2020-26570,CVE-2020-26571,CVE-2020-26572
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    opensc-0.19.0-lp152.3.3.1
Comment 13 Swamp Workflow Management 2022-03-30 19:28:18 UTC
SUSE-SU-2022:1041-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1114649,1122756,1149746,1149747,1158256,1158305,1170809,1177364,1177378,1177380,1191957,1191992,1192000,1192005
CVE References: CVE-2019-15945,CVE-2019-15946,CVE-2019-19479,CVE-2019-19481,CVE-2019-20792,CVE-2019-6502,CVE-2020-26570,CVE-2020-26571,CVE-2020-26572,CVE-2021-42779,CVE-2021-42780,CVE-2021-42781,CVE-2021-42782
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    opensc-0.18.0-150000.3.23.1
SUSE Linux Enterprise Server 15-LTSS (src):    opensc-0.18.0-150000.3.23.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    opensc-0.18.0-150000.3.23.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    opensc-0.18.0-150000.3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Carlos López 2022-09-20 11:26:03 UTC
Done, closing.