Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-64698

Rebase OpenSC to 0.26.0

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • opensc
    • opensc-0.26.0-1.el10
    • No
    • Low
    • Rebase
    • 1
    • rhel-security-crypto
    • ssg_security
    • 19
    • 20
    • 1
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto24Q4
    • Release Note Not Required
    • Hide
      RN in https://issues.redhat.com/browse/RHEL-71523

      .OpenSC provided in version 0.26.0

      RHEL 10 contains the `opensc` packages in the upstream version 0.26.0. The most notable enhancements and bug fixes are:

      * Additional fixes for removing the time side-channel leakage related to the RSA PKCS #1 v1.5 padding removal after decryption.
      * Unified OpenSSL logging.
      * Support for the HKDF, RSA OEAP encryption, AES GCM, and AES GMAC mechanisms in the `pkcs11-tool` utility.
      * Fixes for CVEs targeting uninitialized memory problems: CVE-2024-45615, CVE-2024-45616, CVE-2024-45617, CVE-2024-45618, CVE-2024-45619, and CVE-2024-45620.
      Show
      RN in https://issues.redhat.com/browse/RHEL-71523 .OpenSC provided in version 0.26.0 RHEL 10 contains the `opensc` packages in the upstream version 0.26.0. The most notable enhancements and bug fixes are: * Additional fixes for removing the time side-channel leakage related to the RSA PKCS #1 v1.5 padding removal after decryption. * Unified OpenSSL logging. * Support for the HKDF, RSA OEAP encryption, AES GCM, and AES GMAC mechanisms in the `pkcs11-tool` utility. * Fixes for CVEs targeting uninitialized memory problems: CVE-2024-45615, CVE-2024-45616, CVE-2024-45617, CVE-2024-45618, CVE-2024-45619, and CVE-2024-45620.
    • Rejected
    • None

      A new version of OpenSC 0.26.0 will be released in upstream. It contains additional fixes for removing the time side-channel leakage related to RSA PKCS#1 v1.5 padding removal after decryption, unified OpenSSL logging, several features for pkcs11-tool and fixes for CVEs targeting uninitialized memory problems.

      CVEs fixed with this rebase:

      • CVE-2024-45615: Usage of uninitialized values in libopensc and pkcs15init
      • CVE-2024-45616: Uninitialized values after incorrect check or usage of APDU response values in libopensc 
      • CVE-2024-45617: Uninitialized values after incorrect or missing checking return values of functions in libopensc
      • CVE-2024-45618: Uninitialized values after incorrect or missing checking return values of functions in pkcs15init
      • CVE-2024-45619: Incorrect handling length of buffers or files in libopensc
      • CVE-2024-45620: Incorrect handling of the length of buffers or files in pkcs15init
      • CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key

              vhanulik@redhat.com Veronika Hanulikova (Inactive)
              vhanulik@redhat.com Veronika Hanulikova (Inactive)
              Veronika Hanulikova Veronika Hanulikova (Inactive)
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: