Le 22/12/2010 19:00, Ludovic Rousseau a écrit :
Le 22/12/2010 00:10, Michael Gilbert a écrit :
package: pcsc-lite
version: 1.4.102-1+lenny3
severity: serious
tags: security
an advisory has been issued for pcsc-lite:
http://labs.mwrinfosecurity.com/files/Advisories/mwri_pcsc-atr-handler-buffer-overflow_2010-12-13.pdf
i have checked that the vulnerable code is present in both lenny and
sid.
The problem has been fixed upstream in version pcsc-lite 1.6.5.
pcsc-lite 1.6.6 is available in experimental ans will be uploaded to sid
after squeeze is out.
The attacker needs to have a physical access to the computer and a
specially crafter smart card. I don't plan to fix the problem in squeeze
(so lowering the severity).
Michael, go for the RC severity and NMU. I can't do the upload now myself.
The upstream corrective patche is in SVN revision 5370.
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2010-November/004923.html
Thanks
--
Dr. Ludovic Rousseau
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
