Can someone post a diff or point at the change number for this, I will need to backport it to stable and oldstable.
* Andreas Jellinghaus (a...@dungeon.inka.de) wrote: > OpenSC today released a new version OpenSC 0.11.7 with these changes: > * hide_empty_slots now on by default. > * pinpad supported fixed for Mac OS X. > * ruToken driver was updated. > * openct virtual readers reduced to 2 by default. > * link with iconv on Mac OS X for i18n support. > * Security issue: Fix private data support. > * Enable lock_login by default. > * Disable allow_soft_keygen by default. > > Regards, Andreas Jellinghaus > a...@opensc-project.org > > Security update for OpenSC > ========================== > > OpenSC Security Advisory [26-Feb-2009] CVE-2009-0368 > ---------------------------------------------------- > > OpenSC stores private data without proper access restrictions. > > User "b.badrignans" reported this security problem on December 4th, 2008. > In June 2007 support form private data objects was added to OpenSC. Only later > a severe security bug was found out: while the OpenSC PKCS#11 implementation > requires PIN verification to access the data, low level APDU commands or > debugging tools like opensc-explorer or opensc-tool can access the private > data without any authentication. This was fixed in OpenSC 0.11.7. > > RSA keys are not affected by this security problem. National eID cards and > other cards initialised by other software are not affected by this problem. > Only blank cards initialised with OpenSC are affected by this problem. It is > not known if the problem is limited to some drivers, but we believe all > drivers are affected. We could only test very few cards, but all of them had > the problem, and the fix worked on all of them. All other cards are > completely > untested for either. > > This fix only improves creating new private data objects. Cards already > initialised with such private data objects need to be modified to repair the > access control conditions on such cards. One way to do that is to erase the > card and re-initialise it, but doing this you would loose all content on the > card, including RSA private keys. An alternative is to download the private > data object(s) to your PC, delete them on the card, and store them once more > on the card with the new, fixed version of OpenSC. This procedure has been > tested with success on some cards, but no guaranty of any kind can be given. > > WARNING! Only follow this procedure if you know what you are doing. > This could damage your card or erase all data on it! No warranty of any kind, > you are on your own! WARNING! > > Testing your card: > To create a file with a secret: > echo "This is my secret data" > secret-file > > To initialise a blank card: > pkcs15-init --create-pkcs15 --use-default-transport-keys \ > --profile pkcs15+onepin --pin 123456 --puk 78907890 > > To write a private data object to the card: > pkcs11-tool --label "my secret" --type data --write-object secret-file \ > --private --login --pin 123456 > > To see all objects on the card: > pkcs15-tool --dump > > This will list the data object, including the path it is stored, e.g.: > "Path: 3f0050154701" > > To access such an object with low level tools: > opensc-explorer > cd 5015 > get 4701 > > New versions of OpenSC will not allow this to succeed. For older > versions the file name is usually 4601 for the first data object > (private or not), and it is never protected, thus you can download > the content with the get command. > > After testing you can erase a card with this command: > pkcs15-init --erase-card --use-default-transport-keys > > WARNING! Only follow this procedure if you know what you are doing. > This could damage your card or erase all data on it! No warranty of any kind, > you are on your own! WARNING! > > Other security changes > ---------------------- > > When OpenSC was created some cards could already create RSA keys on card, > but other popular cards could only execute signing and decryption on card, > but not create RSA key. The OpenSC code was written to use the hardware RSA > key creation, if the card supports it, and - to make things easier for > everyone - to create an RSA key in software, if the card does not support it. > This could always be turned off with the "soft_keygen_allowed" in the config > file. > > We have not heard of any user of such old cards without the capability to > create RSA keys for a long time. Thus we changed the default of the > soft_keygen_allowed option to false in OpenSC 0.11.7. Users of Siemens CardOS > based smart cards will still need to turn this option on, if they want to use > the "split-key" option to work around limitations in the CardOS card > operating > system (not being able to have RSA keys valid for both signing and > decryption). > > OpenSC used to lock access to a smart card, when applications used the Login > function with OpenSC. This option was disabled by default a while ago, because > popular applications like Firefox and Thunderbird call the Login function when > they are started (and OpenSC is configured as PKCS#11 module). If locking is > enabled, you cannot run both applications at the same time, as the first gets > the lock, and the second is stuck till the first application is quit. Also > you can't use any other application at the same time, for example you can't > use a screensaver with smart card authentication. > > Still we revised this default setting in OpenSC 0.11.7 and enabled lock_login > by default. This will harm all users of several concurrent applications trying > to use smart cards. But without locking we cannot rule out the possibility of > a security issue in some race scenario. Also some applications seem to not > work properly without lock_login enabled. > > Security fixes available > ------------------------ > > http://www.opensc-project.org/files/opensc/opensc-0.11.7.tar.gz > > md5sum opensc-0.11.7.tar.gz > 419e9be372c2f9bbb3ce9704c929d5ec opensc-0.11.7.tar.gz > > sha1sum opensc-0.11.7.tar.gz > f91f66bb350d94c07fb01e427c936ce56f1c7d0d opensc-0.11.7.tar.gz > > sha256sum opensc-0.11.7.tar.gz > 6dab273cbdba8e92c59207715199f48f4f9e541e6d873561e30154bd40c4011d > > In our subversion repository the private data fix is available as revision > 3605, the new default settings are commited in revision 3604. Note however > that we can support only released versions of OpenSC and current trunk. If > you > have a problem with an older version or patched version, you need to try the > latest release. > > State of OpenSC > =============== > > I believe that security software should be simple, well designed, well writen > and actively maintained by a dedicated team. > > I'm sad to inform you that OpenSC is a rather large and complex software, > the design shows that is clearly grown over the years. Most developers stopped > being interested in smart cards many years ago, only few are left, of those > nearly noone actually uses smart cards day to day. Time for improving OpenSC > is scarce if it exists at all, and not a single developer knows the OpenSC > core code in detail. > > OpenSC is working fine for some applications, like using it with openssh > for smart card authenticated ssh login, or for console login with a pam > module, or testing and learning about smart cards. But in general you need to > judge yourself if the state of OpenSC is compatible with your requirements. > > The projects needs more developers and a new project maintainer. If you are > interested in spending your free time to work with smart cards, we would like > to welcome you to the project, and will try to help you and support your work. > > Binary distributions > ==================== > > Our Mac OS X Installer Package "SCA" is well maintained and a new version > including this new version will be available soon. Al versions up to and > including 0.2.4.1 are vulnerable, but the new experimental 0.2.5-pre1 > and the final 0.2.5 will include the fixed OpenSC 0.11.7. > > Our old Windows Installer Package "SCB" is also affected by this > vulnerability: All versions are affected. We don't have any windows developer > left, so no one can update this package. > > New windows binaries build using mingw are available in the "Build" project. > Version 001 and 002 are both vulnerable, a new version 003 with OpenSC 0.11.7 > will be soon available. > > Contact and Feedback > ==================== > > If you have questions or feedback, please do not hesitate to contact us on > our > mailing lists "opensc-devel" or "opensc-user". You need to subscribe to these > lists before posting, as we are getting a lot of spam each day and do not > have > the resource to sort out valid email. > > Regards, Andreas Jellinghaus > a...@opensc-project.org > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Eric Dorland <e...@kuroneko.ca> ICQ: #61138586, Jabber: ho...@jabber.com
signature.asc
Description: Digital signature
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel