Skip to content

CVE-2025-13763.md

Latest commit

 

History

History
93 lines (85 loc) · 6.38 KB

CVE-2025-13763.md

File metadata and controls

93 lines (85 loc) · 6.38 KB

CVE-2025-13763: Various uninitialized memory usage during card detection in libopensc

The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity.

The uninitialized variables were reflected in these functions:

  • authentic_parse_credential_data
    • The function authentic_get_tagged_data() could return 0 length data, but it is never checked before dereferencing the data pointer.
    • fixed with dc4a1f2617867eb3b2c170ec51dd2bbae0212480
  • cac_is_cert
    • The object comparison could use some of the unitialized object members.
    • fixed with 61985ce021b386b11a29eb4d27c6a7ae00e8e2a6
  • cac_read_binary
    • the function is merging the TagLength file with the Value files. Inconsistencies are ignored, but the resulting object has full length even if some part is uninitialized, which can be used later on by the driver.
    • fixed with 35b2f54212db0d6adcc337e456ddc728eeabd044
  • cac_get_properties
    • the function might not be setting all the members of the properties structure the caller expects. Initializing it before invocation avoids this problem.
    • fixed with 5b0cda30e8226c41c69735f95234d98eda1be550
  • esteid_select_file
    • the select file assumes the APDU returns the whole requested length, which might not be the case. When card returns less data, the uninitialized data is attempted to get parsed as FCI structure.
    • fixed with bd8687b40f6948278ec115aa7a19ee7274760ce0
  • gemsafe_process_fci
    • The sc_asn1_find_tag() could return 0-lenght value, which is processed without checking for the length.
    • fixed with 267111f2e3b766e5ad985105cd1a3416d569ff89
  • iasecc_emulate_fcp
    • emulating the FCP object could result in too long resplen in the emulated APDU returned to a caller, which might read uninitialized data from there.
    • fixed with ab568f0a420931d5372bc8657f4024ca6d0e3285
  • iasecc_se_parse
    • the function could use uninitialized memory behind the buffer bounds without proper check.
    • fixed with 7aafe6f8c4a962d8ee9208a62272b6b38d6db9f6, a89dff3271da2eccd834553a4c0dfb7c543657c5
  • get_cert_len
    • incorrect return value check could cause use of uninitialized data
    • fixed with 7e3dcae1d14e898dfed00ce8aa1d1bfeaee7c936
  • coolkey_get_attribute_bytes_alloc
    • Unchecked size of return buffer could cause zero-length allocations and following code dereferencing this variable.
    • fixed with 40fbddc46e026618b6a3d0a03e62adc1fb5ca956
  • sc_pkcs15emu_openpgp_init
    • uninitilized variable could cause comparison against this value, with unexpected consequences.
    • fixed with 29122ae779fa8ecb201b0c0b3bdad058b9540262
  • sc_pkcs15_pubkey_from_spki_fields
    • the callback function could be called with 0-length buffer, resulting in 0-lenght allocations and dereferencing of this value.
    • fixed with 7000dee0eb7d35246b5e180b39bb4e03b11f1c47
  • get_cert_len
    • the function accesses the uninitialized memory when the card returns too short response.
    • fixed with 7e3dcae1d14e898dfed00ce8aa1d1bfeaee7c936
  • insert_cert
    • Parsing of the returned buffer could use uninitialized memory when the card responses with too short data.
    • fixed with 263d29e2f8baf33f329849c82ba9c08ec45f1ad7

There are few more cases, that are accessible only during the card enrollment/initialization and therefore they are not exploitable on generic end-user system:

  • entersafe_init_card
    • Uninitialized members could be used in the APDU, resulting in unexpected behavior.
    • fixed with f29e937aa77ad000cd65cc1806972203bd3b0f43
  • cosm_generate_key
    • Uninitialized member pubkey->u.rsa.modulus.len is used later in the code execution.
    • fixed with a998551ca19f2bd0e664c59d415675c062e3920b
  • build_argv
    • Ignoring return value of `get_inner_word()a could cause use of uninitilizad variables later.
    • fixed with c1d3ebb130f909eff2aef1924f28f3d4c04786a6

Affected versions: all before 0.27.0

Originally reported by Matteo Marini (Sapienza University of Rome). Some of the issues were also reported independently by Aldo Ristori via OSS-Fuzz. Patches provided by Jakub Jelen.

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (3.9)