Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New release 0.24.0 #2792

Closed
kloczek opened this issue Jun 2, 2023 · 26 comments
Closed

New release 0.24.0 #2792

kloczek opened this issue Jun 2, 2023 · 26 comments

Comments

@kloczek
Copy link

kloczek commented Jun 2, 2023

0.23.0...master shows +250 commits since last release. Amongst those commits are some critical fixes.

Do you have any plans to release new version soon? 🤔

@Jakuje
Copy link
Member

Jakuje commented Jun 5, 2023

I was hoping to have one later this summer. I think we can not make it more frequently than once a year.

I created https://github.com/OpenSC/OpenSC/projects/12 last week that can collect what we would like to include or not.

Can you point out the critical fixes?

@kloczek
Copy link
Author

kloczek commented Jun 5, 2023

Thank you 👍
Looking on current rate of commits I think that best would be good to have one minor release per 3-4 months .. just to flush set of already committed fixes/improvements/updates.

@Jakuje Jakuje added this to To do in OpenSC 0.24.0 via automation Jun 28, 2023
@xhanulik
Copy link
Contributor

xhanulik commented Jul 3, 2023

This is a draft of release notes for 0.24.0, summarising new changes from the last release. Please, feel free to fix or propose other changes which should be included.


General improvements

PKCS#11

PKCS#15

Minidriver

pkcs11-tool

westcos-tool

  • Generate 2k RSA keys by default (b53fc5c)

pkcs11-register

IDPrime

EPass2003

OpenPGP

eOI

Italian CNS

PIV

SkeID

isoApplet

MyEID

SC-HSM

@kloczek
Copy link
Author

kloczek commented Jul 3, 2023

LGTM 👍

@popovec
Copy link
Member

popovec commented Jul 3, 2023

EPass2003
Change of PIN requires verification of the PIN (Update card-epass2003.c #2759)

PR #2759 also fixes issue #2734

@frankmorgner
Copy link
Member

I've updated https://github.com/OpenSC/OpenSC/projects/12 with the missing pieces.

We still have some things to do regarding the fixed security issues. @Jakuje, would it be possible for you to review and request possible CVEs with Red Hat's support (see the project's cards that are still To Do)? If needed, you may re-use some of the descriptive CVE text blocks for a possible security advisory in the wiki.

Unfortunately, we didn't make any progress regarding signed OpenSC release packages. I don't think we be able will finish #2799 for this release. macOS binaries are signed by Tim Wilbrink, but we didn't set up notarizion. Signed source code packages make sense with its git integration, which is still planned to be reviewed by @Jakuje.

Thanks, @xhanulik , for providing a draft for the release notes. Please remember to synchronize this once project cards are done which are currently in progress.

@frankmorgner frankmorgner moved this from To do to In progress in OpenSC 0.24.0 Jul 17, 2023
@Jakuje
Copy link
Member

Jakuje commented Aug 3, 2023

Sorry for a delay. I can certainly put together some advisory drafts and ask for CVE numbers in coming week after I will go through the oss-fuzz issues and the auth bypass.

Regarding to the #1129 my take would be just to provide a signature on the final tarball using one of our PGP keys. But given the mess in which PGP is I am not using it on daily/weekly basis I was setting it up already several times (on yubikey) and I am not sure if it works right now or if it did not expire. Last time I did sign libcacard. Would have to check.

@frankmorgner

This comment was marked as off-topic.

@Jakuje

This comment was marked as off-topic.

@frankmorgner

This comment was marked as off-topic.

@Jakuje

This comment was marked as off-topic.

@Jakuje
Copy link
Member

Jakuje commented Aug 11, 2023

I am attaching security advisories drafts. I would go ahead with two separate ones. One for the PIN bypass and the other for the oss-fuzz and coverity reported issues. Feel free to propose changes.

I just went ahead to test that the zero-length pin are indeed not able to exploit the screen unlock on Linux (with fresh install + new yubikey 5) and I was not able to get in.


CVE-2023-40660: Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)

When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer. The bypass was removed and OpenSC implemented explicit logout for most of the card drivers to prevent leaving unattended logged-in tokens.

The PoC is available for MacOS screen unlock bypass with Yubikey. The issue can be reproduced also with a PKCS#11 module and Minidriver if the calling applications does not bail out on empty pin (Neither Firefox nor SSSD allow empty PIN under Linux even before reaching out to the PKCS#11).

Affected versions: OpenSC 0.17.0 - 0.23.0

Originally reported by Deepanjan Pal (Oracle Corporation)

CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (7.3)

CVE-2023-40661: Static and dynamic analyzers reports

This advisory summarizes automatically reported issues that are security relevant that were reported since the release of OpenSC 0.23.0.

All of these require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity.

Security-related oss-fuzz issues

CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keys

This issue require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity.

This issue is in the code handling symmetric keys, which are not widely used for example for desktop login so most of the deployments are not affected.

Affected versions: OpenSC 0.17.0 - 0.23.0

  • CID 380538: Out-of-bounds read in MyEID handling of encryption using symmetric keys. Fixed with f1993dc

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (3.1)

@Jakuje Jakuje changed the title New release?🤔 New release 0.24.0 Aug 11, 2023
@frankmorgner
Copy link
Member

I agree to skip both of these issues.

As far as I can see, all of the issues from coverity and oss-fuzz can only be triggered by a specially crafted rogue smart card. Since this limits the attack vector for exploiting these problems, I think it is useful to mention this in the security advisory. (We could use some phrasing of one of our previous advisories on this kind of problems.)

@Jakuje
Copy link
Member

Jakuje commented Aug 14, 2023

Updated the previous comment:

All of these require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity.

@frankmorgner
Copy link
Member

Yes, very good, thank you!

@manu0401
Copy link

As requested in #2832, here is the p11 test output for Athena ASE III, which uses the asepcos driver:

athena_ase_III.json.txt

@dlegaultbbry
Copy link
Contributor

Feel free to add the latest round of pkcs11-tool fixes that cropped up recently if judged noteworthy enough.

This was referenced Sep 22, 2023
@Jakuje
Copy link
Member

Jakuje commented Sep 25, 2023

The rc1 is out: https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1

The testing of the installers and different cards welcomed. Please, share the results as PR to the following wiki page:

https://github.com/OpenSC/Wiki/blob/master/Smart-Card-Release-Testing.md

@kloczek
Copy link
Author

kloczek commented Sep 25, 2023

Please next time tag such releases not as 0.24.0-rc1 but as 0.24.rc1.
When final 0.24.0 will be released it will be upgradeable and version string will be ascending (0.24.rc1 is lover than 0.24.0).
More info about reasons use of that convention you can find on https://discourse.gnome.org/t/new-gnome-versioning-scheme/4235

@frankmorgner
Copy link
Member

Please next time tag such releases not as 0.24.0-rc1 but as 0.24.rc1.

Our naming scheme has been used for the past decades and we will not change this soon.

@kloczek
Copy link
Author

kloczek commented Sep 25, 2023

Our naming scheme has been used for the past decades and we will not change this soon.

Yes and that that naming scheme has home issue for packagers which many maintainers simple ignores.
Simple many package management software do not accept - in version string and 0.24.0-rc1 is not lower *as version string) than 0.24.0.
Making something incorrectly very long time simple happens ..

PS. Latin "errare humanum est perseverare autem diabolicum".

@AlbertoAIG
Copy link

I have tried this version with macOS Sonoma and it doesn't work either after doing a clean installation, while in another version of macOS or on windows it works perfectly. Will it be fixed in the future?
Thanks

@frankmorgner
Copy link
Member

Preferably, we should support Sonoma with this release as well. It seems that 0.23.0 has problems with Sonoma, too (#2887). My macbook air is too old, so I cannot reproduce this problem.

Maybe @metsma has more experience with Sonoma...

@below
Copy link

below commented Nov 14, 2023

Maybe this helps, please let me know if this information is more helpful elsewhere

Like many people (apparently), I had big problems with OpenSC after upgrading to macOS Sonoma. I have noticed that the issues depend very much on hardware, so I tested a few readers. I don't know enough about all of this, I am a developer, but have no clue about this particular domain. I am using the SmartCard through Chrome to access Citrix and some VPN tunnel. Let me know how I can give you more info:

✓ Identiv SCR3500 C Contact Reader: Working apparently without issues Product 0x581d, Vendor ID 0x04e6
(✓) ACR39U ICC Reader, Working partially (seemingly only once per connection), Product 0xb100, Vendor 0x072f
⤫ EMV SmartCard Reader Not working Product 0x9540 Vendor 0x058f
⤫ SCR3310 SmartCard Reader Not Working Product 0x5116 Vendor 0x04e6

@Jakuje
Copy link
Member

Jakuje commented Nov 14, 2023

@below most of the people reported that the Sonoma issues got better after updating the CCID driver. See the issue #2887. The OpenSC does not implement any readers drivers and is using PCSC to do the talking with the HW so there is not much we can do from the OpenSC side.

@Jakuje
Copy link
Member

Jakuje commented Dec 13, 2023

Release is out:
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0
Closing this issue.

@Jakuje Jakuje closed this as completed Dec 13, 2023
OpenSC 0.24.0 automation moved this from In progress to Done Dec 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Development

No branches or pull requests

9 participants