New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-34193 reference #2841
Comments
Is this problem known upstream? And if yes, do we have a commit reference? |
Yes, all of these were fixed in 0.22.0 release. Not sure how it surfaced just right now. I am not sure if we requested this CVE or somebody else did (probably as the information about fixed version is wrong in the CVE page). I could not find any reference to this CVE ID though before this week. @frankmorgner do you know? I think the https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28768 is fixed with the following commit: d353a46 |
In June 2022 I've requested CVEs via mitre.org, which were not processed until a couple of days ago. After many unsuccessful attempts of contacting them, we had decided to request CVEs via Red Hat for the same vulnerabilities, which resulted in the following:
The referenced commits you found are accurate for fixing the problems. I just realized, that we forgot to mention the Red Hat CVEs in the 0.22.0 release announcement as well as adding them to the NEWS and Security advisories in the wiki 😶🌫️ I'm unsure how to proceed with the now "duplicated" CVE. |
With the mitre having the response times of 2 years, I will contact Red Hat Product security to try to handle this somehow. Given that we have these covered, I think there needs to be a way to close it as a duplicate. And they will have much more experience with this than we do. If you can update the release notes with the original CVE numbers, it would be great! |
Is the understanding correct that |
Yes, indeed. I contacted Mitre for updating the description of CVE-2021-34193. |
* Added missing CVEs to NEWS fixes #2841 * added CVE-2021-34193 as duplicate
The public information is updated Mitre has been contacted in a seperate CVE issue (still open/in progress). Red Hat has already added a note about the duplicate. |
MITRE published CVE-2021-34193
NVD Published Date: 08/22/2023
Description
Stack overflow vulnerability in OpenSC smart card middleware before 0.23 via crafted responses to APDUs.
Links
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27719
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28383
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28768
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28855
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30112
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30800
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31448
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31540
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
References
https://nvd.nist.gov/vuln/detail/CVE-2021-34193
The text was updated successfully, but these errors were encountered: