安全公告/【CVE-2023-2977】

基本信息

漏洞名称:
受影响操作系统:Asianux
危险等级:高危
影响源码包:opensc
CVSS评分:7.1
发现日期:2023-09-26
修复版本:opensc-0.20.0-11

漏洞描述

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

修复方式

yum update PackageName

漏洞判定

执行命令yum info PackageName获取软件包版本号,版本小于修复版本,则受此漏洞影响,版本大于等于修复版本,则此漏洞已修复

补丁

参考

https://gitee.com/src-openeuler/opensc/issues/I79LIQ
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2977
https://nvd.nist.gov/vuln/detail/CVE-2023-2977