Amazon Linux 2023 Security Advisory: ALAS-2023-207
Advisory Release Date: 2023-06-07 23:52 Pacific
Advisory Updated Date: 2023-06-12 23:41 Pacific
Severity:
Medium
Issue Overview:
A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible. (CVE-2023-2977)
Affected Packages:
opensc
Issue Correction:
Run dnf update opensc --releasever 2023.0.20230614 to update your system.
New Packages:
aarch64:
opensc-debuginfo-0.23.0-3.amzn2023.0.1.aarch64
opensc-debugsource-0.23.0-3.amzn2023.0.1.aarch64
opensc-0.23.0-3.amzn2023.0.1.aarch64
src:
opensc-0.23.0-3.amzn2023.0.1.src
x86_64:
opensc-debuginfo-0.23.0-3.amzn2023.0.1.x86_64
opensc-0.23.0-3.amzn2023.0.1.x86_64
opensc-debugsource-0.23.0-3.amzn2023.0.1.x86_64