Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2024-45616

3.9 LOW

CVSS version: 3.1
Attack vector (AV): PHYSICAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 1 year, 3 months ago

Libopensc: uninitialized values after incorrect check or usage of apdu response values in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

References

https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html
https://access.redhat.com/security/cve/CVE-2024-45616 vdb-entryx_refsource_REDHAT
RHBZ#2309290 x_refsource_REDHATissue-tracking
https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html

Affected products

opensc

libopensc

<0.26.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

nixos-unstable 0.26.0
- nixpkgs-unstable 0.26.0
- nixos-unstable-small 0.26.0

pkgs.openscad

3D parametric model compiler

nixos-unstable 2021.01
- nixpkgs-unstable 2021.01
- nixos-unstable-small 2021.01

pkgs.openscap

NIST Certified SCAP 1.2 toolkit

nixos-unstable 1.3.10
- nixpkgs-unstable 1.3.10
- nixos-unstable-small 1.3.10

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

nixos-unstable 1.2.5
- nixpkgs-unstable 1.2.5
- nixos-unstable-small 1.2.5

pkgs.openscenegraph

3D graphics toolkit

nixos-unstable 3.6.5
- nixpkgs-unstable 3.6.5
- nixos-unstable-small 3.6.5

pkgs.openscad-unstable

3D parametric model compiler (unstable)

nixos-unstable 2024-12-06
- nixpkgs-unstable 2024-12-06
- nixos-unstable-small 2024-12-06

pkgs.vimPlugins.vim-openscad

None

nixos-unstable 2022-07-26
- nixpkgs-unstable 2022-07-26
- nixos-unstable-small 2022-07-26

pkgs.vimPlugins.openscad-nvim

None

nixos-unstable 2024-04-13
- nixpkgs-unstable 2024-04-13
- nixos-unstable-small 2024-04-13

pkgs.kakounePlugins.openscad-kak

None

nixos-unstable 2020-12-10
- nixpkgs-unstable 2020-12-10
- nixos-unstable-small 2020-12-10

pkgs.vscode-extensions.antyos.openscad

OpenSCAD highlighting, snippets, and more for VSCode

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1

Package maintainers

@michaeladler Michael Adler <therisen06@gmail.com>
@gebner Gabriel Ebner <gebner@gebner.org>
@bjornfor Bjørn Forsman <bjorn.forsman@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@c-h-johnson Charles Johnson <charles@charlesjohnson.name>
@pca006132 pca006132 <john.lck40@gmail.com>
@Tochiaha Tochukwu Ahanonu <tochiahan@proton.me>
@aanderse Aaron Andersen <aaron@fosslib.net>