OpenSC Out-of-Bounds Heap Read Vulnerability in X.509/SPKI Handling

A vulnerability in OpenSC versions prior to 0.27.0 allows for an out-of-bounds heap read when processing malformed X.509 certificates or SPKI data. This issue arises in the PKCS#15 public key handling function, which incorrectly allocates a zero-length buffer and then reads beyond its end. The vulnerability can lead to undefined behavior, such as application crashes or misparsing of certificate data. It is considered a low-severity issue, but could expose sensitive information in some cases.

Impact

Exploitation of this vulnerability causes an out-of-bounds heap read, which can lead to undefined behavior, such as application crashes or incorrect parsing of data. In some cases, this type of vulnerability could be exploited to read sensitive information.

Reproduction

The vulnerability can be reproduced using the 'fuzz_pkcs15_reader' or 'fuzz_pkcs15_crypt' harnesses, both of which trigger the out-of-bounds read in the 'sc_pkcs15_pubkey_from_spki_fields()' function. This can be done by crafting a specific input that simulates a malicious smart card response, which is then processed by OpenSC's PKCS#15 reader. The issue is observable in a non-sanitized build of OpenSC when Valgrind is used to track memory errors.

Remediation

Users can upgrade to OpenSC version 0.27.0 or later, where this vulnerability has been patched.