Bug 1158305 - (CVE-2019-19481) VUL-1: CVE-2019-19481: opensc: improper handling of buffer limits for CAC certificates
VUL-1: CVE-2019-19481: opensc: improper handling of buffer limits for CAC cer...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-12-03 14:17 UTC by Alexandros Toptsoglou
Modified: 2022-03-30 19:28 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-12-03 14:17:56 UTC

An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-cac1.c mishandles buffer limits for CAC certificates.

Comment 1 Alexandros Toptsoglou 2019-12-03 14:20:40 UTC
Only SLE15 with version 0.18 is affected. The issue introduced in version 0.17, then the affected code removed in 0.19 (version of SLE15-SP1) and re-introduced in version 0.20.

The fix is available at [0]. Additional information that I do not have access yet at [1].

Comment 3 Jason Sikes 2021-03-22 18:22:02 UTC
|   issue | stream             | patch                              | request |
| 1158305 | SUSE:SLE-15:Update | opensc-0_18_0-CVE-2019-19481.patch |  238394 |
Comment 9 Swamp Workflow Management 2022-03-30 19:28:23 UTC
SUSE-SU-2022:1041-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1114649,1122756,1149746,1149747,1158256,1158305,1170809,1177364,1177378,1177380,1191957,1191992,1192000,1192005
CVE References: CVE-2019-15945,CVE-2019-15946,CVE-2019-19479,CVE-2019-19481,CVE-2019-20792,CVE-2019-6502,CVE-2020-26570,CVE-2020-26571,CVE-2020-26572,CVE-2021-42779,CVE-2021-42780,CVE-2021-42781,CVE-2021-42782
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    opensc-0.18.0-150000.3.23.1
SUSE Linux Enterprise Server 15-LTSS (src):    opensc-0.18.0-150000.3.23.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    opensc-0.18.0-150000.3.23.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    opensc-0.18.0-150000.3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.