-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New release 0.24.0 #2792
Comments
|
I was hoping to have one later this summer. I think we can not make it more frequently than once a year. I created https://github.com/OpenSC/OpenSC/projects/12 last week that can collect what we would like to include or not. Can you point out the critical fixes? |
|
Thank you 👍 |
|
This is a draft of release notes for 0.24.0, summarising new changes from the last release. Please, feel free to fix or propose other changes which should be included. General improvements
PKCS#11
PKCS#15
Minidriver
pkcs11-tool
westcos-tool
pkcs11-register
IDPrime
EPass2003
OpenPGP
eOI
Italian CNS
PIV
SkeID
isoApplet
MyEID
SC-HSM
|
|
LGTM 👍 |
|
I've updated https://github.com/OpenSC/OpenSC/projects/12 with the missing pieces. We still have some things to do regarding the fixed security issues. @Jakuje, would it be possible for you to review and request possible CVEs with Red Hat's support (see the project's cards that are still To Do)? If needed, you may re-use some of the descriptive CVE text blocks for a possible security advisory in the wiki. Unfortunately, we didn't make any progress regarding signed OpenSC release packages. I don't think we be able will finish #2799 for this release. macOS binaries are signed by Tim Wilbrink, but we didn't set up notarizion. Signed source code packages make sense with its git integration, which is still planned to be reviewed by @Jakuje. Thanks, @xhanulik , for providing a draft for the release notes. Please remember to synchronize this once project cards are done which are currently in progress. |
|
Sorry for a delay. I can certainly put together some advisory drafts and ask for CVE numbers in coming week after I will go through the oss-fuzz issues and the auth bypass. Regarding to the #1129 my take would be just to provide a signature on the final tarball using one of our PGP keys. But given the mess in which PGP is I am not using it on daily/weekly basis I was setting it up already several times (on yubikey) and I am not sure if it works right now or if it did not expire. Last time I did sign libcacard. Would have to check. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
|
I am attaching security advisories drafts. I would go ahead with two separate ones. One for the PIN bypass and the other for the oss-fuzz and coverity reported issues. Feel free to propose changes. I just went ahead to test that the zero-length pin are indeed not able to exploit the screen unlock on Linux (with fresh install + new yubikey 5) and I was not able to get in. CVE-2023-40660: Potential PIN bypass (#2806, frankmorgner/OpenSCToken#50, #2807)When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer. The bypass was removed and OpenSC implemented explicit logout for most of the card drivers to prevent leaving unattended logged-in tokens. The PoC is available for MacOS screen unlock bypass with Yubikey. The issue can be reproduced also with a PKCS#11 module and Minidriver if the calling applications does not bail out on empty pin (Neither Firefox nor SSSD allow empty PIN under Linux even before reaching out to the PKCS#11). Affected versions: OpenSC 0.17.0 - 0.23.0 Originally reported by Deepanjan Pal (Oracle Corporation) CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (7.3) CVE-2023-40661: Static and dynamic analyzers reportsThis advisory summarizes automatically reported issues that are security relevant that were reported since the release of OpenSC 0.23.0. All of these require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. Security-related oss-fuzz issues
CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption using symmetric keysThis issue require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is in the code handling symmetric keys, which are not widely used for example for desktop login so most of the deployments are not affected. Affected versions: OpenSC 0.17.0 - 0.23.0
CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (3.1) |
I agree to skip both of these issues. As far as I can see, all of the issues from coverity and oss-fuzz can only be triggered by a specially crafted rogue smart card. Since this limits the attack vector for exploiting these problems, I think it is useful to mention this in the security advisory. (We could use some phrasing of one of our previous advisories on this kind of problems.) |
|
Updated the previous comment:
|
|
Yes, very good, thank you! |
|
As requested in #2832, here is the p11 test output for Athena ASE III, which uses the asepcos driver: |
|
Feel free to add the latest round of pkcs11-tool fixes that cropped up recently if judged noteworthy enough. |
|
The rc1 is out: https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 The testing of the installers and different cards welcomed. Please, share the results as PR to the following wiki page: https://github.com/OpenSC/Wiki/blob/master/Smart-Card-Release-Testing.md |
|
Please next time tag such releases not as |
Our naming scheme has been used for the past decades and we will not change this soon. |
Yes and that that naming scheme has home issue for packagers which many maintainers simple ignores. PS. Latin "errare humanum est perseverare autem diabolicum". |
|
I have tried this version with macOS Sonoma and it doesn't work either after doing a clean installation, while in another version of macOS or on windows it works perfectly. Will it be fixed in the future? |
|
Maybe this helps, please let me know if this information is more helpful elsewhere Like many people (apparently), I had big problems with OpenSC after upgrading to macOS Sonoma. I have noticed that the issues depend very much on hardware, so I tested a few readers. I don't know enough about all of this, I am a developer, but have no clue about this particular domain. I am using the SmartCard through Chrome to access Citrix and some VPN tunnel. Let me know how I can give you more info: ✓ Identiv SCR3500 C Contact Reader: Working apparently without issues Product 0x581d, Vendor ID 0x04e6 |
|
Release is out: |
0.23.0...master shows +250 commits since last release. Amongst those commits are some critical fixes.
Do you have any plans to release new version soon? 🤔
The text was updated successfully, but these errors were encountered: