- Update to version 0.26.0
Security
* CVE-2024-45615: Usage of uninitialized values in libopensc#
and pkcs15init (#3225).
* CVE-2024-45616: Uninitialized values after incorrect check or
usage of APDU response values in libopensc (#3225)
* CVE-2024-45617: Uninitialized values after incorrect or missing
checking return values of functions in libopensc (#3225)
* CVE-2024-45618: Uninitialized values after incorrect or missing
checking return values of functions in pkcs15init (#3225)
* CVE-2024-45619: Incorrect handling length of buffers or files
in libopensc (#3225)
* CVE-2024-45620: Incorrect handling of the length of buffers or
files in pkcs15init (#3225)
* CVE-2024-8443: Heap buffer overflow in OpenPGP driver when
generating key (#3219)
General improvements
* Fix reselection of DF after error in PKCS#15 layer (#3067)
* Unify OpenSSL logging throughout code (#2922)
* Extend the p11test to support kryoptic (#3141)
* Fix for error in PCSC reconnection (#3150)
* Fixed various issues reported by OSS-Fuzz and Coverity in
drivers, PKCS#11 and PKCS#15 layer
PKCS#15
* Documentation for PKCS#15 profile files (#3132)
minidriver
* Support PinCacheAlwaysPrompt usable for PIV cards (#3167)
pkcs11-tool
* Show URI when listing token information (#3125) and objects
* Do not limit size of objects to 5000 bytes (#3174)
OBS-URL: https://build.opensuse.org/request/show/1224304
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=90
- Update to version 0.25.0
Security
* CVE-2023-5992: Fix Side-channel leaks while stripping
encryption PKCS#1.5 padding in OpenSC.
* CVE-2024-1454: Fix Potential use-after-free in AuthentIC driver
during card enrollment in pkcs15init.
General improvements
* Remove support for old card drivers Akis, GPK, Incrypto34 and
Westcos, disable Cyberflex driver.
* Fix 64b to 32b conversions.
* Improvements for the p11test.
* Fix reader initialization without SCardControl.
* Make RSA PKCS#1 v1.5 depadding constant-time.
* Add option for disabling PKCS#1 v1.5 depadding (type 01 and 02)
on the card.
* Fixed various issues reported by OSS-Fuzz and Coverity in
drivers, PKCS#11 and PKCS#15 layer.
- Add patch:
* opensc-docbook-xsl-fix.patch
- Drop not longer needed patches:
* CVE-2024-1454.patch
- Introduce subpackage for bash-completion
OBS-URL: https://build.opensuse.org/request/show/1156722
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=82
- Update to OpenSC 0.24.0:
* Security
- CVE-2023-40660: Fix Potential PIN bypass
(#2806, frankmorgner/OpenSCToken#50, #2807)
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling encryption
using symmetric keys (f1993dc)
* General improvements
- Fix compatibility of EAC with OpenSSL 3.0 (#2674)
- Enable use_file_cache by default (#2501)
- Use custom libctx with OpenSSL >= 3.0 (#2712, #2715)
- Fix record-based files (#2604)
- Fix several race conditions (#2735)
- Run tests under Valgrind (#2756)
- Test signing of data bigger than 512 bytes (#2789)
- Update to OpenPACE 1.1.3 (#2796)
- Implement logout for some of the card drivers (#2807)
- Fix wrong popup position of opensc-notify (#2901)
- Fixed various issues reported by OSS-Fuzz and Coverity regarding card
drivers, PKCS#11 and PKCS#15 init
* PKCS#11
- Check card presence state in C_GetSessionInfo (#2740)
- Remove onepin-opensc-pkcs11 module (#2681)
- Do not use colons in the token info label (#2760)
- Present profile objects in all slots with the CKA_TOKEN attribute to
resolve issues with NSS (#2928, #2924)
- Use secure memory for PUK (#2906)
- Don't logout to preserve concurrent access from different processes
(#2907)
- Add more examples to manual page (#2936)
OBS-URL: https://build.opensuse.org/request/show/1132875
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=77
- Update to OpenSC 0.22.0:
* Removed changes in opensc-gcc11.patch already present in upstream.
- See e549e9c62e
* Removed some false positives from the openrc-rpmlintrc file.
* Use standard paths for file cache on Linux (#2148) and OSX (#2214)
* Various issues of memory/buffer handling in legacy drivers mostly reported by oss-fuzz and coverity (tcos, oberthur, isoapplet, iasecc, westcos, gpk, flex, dnie, mcrd, authentic, belpic)
* Add threading test to `pkcs11-tool` (#2067)
* Add support to generate generic secret keys (#2140)
* `opensc-explorer`: Print information about LCS (Life cycle status byte) (#2195)
* Add support for Apple's arm64 (M1) binaries, removed TokenD. A seperate installer with TokenD (and without arm64 binaries) will be available (#2179).
* Support for gcc11 and its new strict aliasing rules (#2241, #2260)
* Initial support for building with OpenSSL 3.0 (#2343)
* pkcs15-tool: Write data objects in binary mode (#2324)
* Avoid limited size of log messages (#2352)
* Support for ECDSA verification (#2211)
* Support for ECDSA with different SHA hashes (#2190)
* Prevent issues in p11-kit by not returning unexpected return codes (#2207)
* Add support for PKCS#11 3.0: The new interfaces, profile objects and functions (#2096, #2293)
* Standardize the version 2 on 2.20 in the code (#2096)
* Fix CKA_MODIFIABLE and CKA_EXTRACTABLE (#2176)
* Copy arguments of C_Initialize (#2350)
* Fix RSA-PSS signing (#2234)
* Fix DO deletion (#2215)
* Add support for (X)EdDSA keys (#1960)
* Add support for applet version 3 and fix RSA-PSS mechanisms (#2205)
* Add support for applet version 4 (#2332)
* New configuration option for opensc.conf to disable pkcs1_padding (#2193)
* Add support for ECDSA with different hashes (#2190)
* Enable more mechanisms (#2178)
* Fixed asking for a user pin when formatting a card (#1737)
* Added support for French CPx Healthcare cards (#2217)
* Added ATR for new CardOS 5.4 version (#2296)
OBS-URL: https://build.opensuse.org/request/show/923351
OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=67
