CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
46.1%
An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0
smartcard driver. The file lib/ykpiv.c contains the following code in the
function _ykpiv_fetch_object()
: {% highlight c %} if(sw == SW_SUCCESS) {
size_t outlen; int offs = _ykpiv_get_length(data + 1, &outlen); if(offs ==
0) { return YKPIV_SIZE_ERROR; } memmove(data, data + 1 + offs, outlen);
*len = outlen; return YKPIV_OK; } else { return YKPIV_GENERIC_ERROR; } {%
endhighlight %} – in the end, a memmove()
occurs with a length retrieved
from APDU data. This length is not checked for whether it is outside of the
APDU data retrieved. Therefore the memmove()
could copy bytes behind the
allocated data buffer into this buffer.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | yubico-piv-tool | < 1.4.2-2ubuntu0.1 | UNKNOWN |
ubuntu | 16.04 | noarch | yubico-piv-tool | < 1.0.3-1ubuntu0.1~esm1 | UNKNOWN |
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
46.1%