OpenSC Buffer Overrun Vulnerability in do_key_value Function

A buffer overrun vulnerability has been identified in OpenSC versions prior to 0.27.0. This vulnerability, which affects both the stack and heap, arises in the do_key_value() function within src/pkcs15init/profile.c. Attackers can exploit this issue by providing a specially crafted profile configuration file. The vulnerability occurs when a key value entry that starts with '=' and exceeds the length of the key buffer is copied into the buffer using memcpy, without proper length validation. This oversight leads to memory corruption by allowing data to overflow into adjacent memory spaces.

Impact

Exploitation of this vulnerability causes stack and heap buffer overrun, allowing for memory corruption.

Reproduction

To reproduce this vulnerability, create a profile file that includes a key value entry starting with '=' and followed by more than the maximum buffer size of keybuf characters. When this profile is parsed during the pkcs15-init invocation, the absence of length checks in the do_key_value() function will result in both stack and heap buffer overruns.

Remediation

Users can upgrade to OpenSC version 0.27.0 or later to address this vulnerability.