Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: opensc

Found 5 matching suggestions

View:
Compact
Detailed
Untriaged
Permalink CVE-2025-13763
5.7 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
created 1 month ago Activity log
  • Created suggestion 1 month ago
Libopensc: opensc: multiple uses of uninitialized variable

Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs

Affected products

OpenSC
  • <0.27.0
opensc

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

pkgs.openscreen

Free, open-source alternative to Screen Studio (sort of)

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Published
Permalink CVE-2025-66215
3.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @mweinelt ignored
    11 packages
    • openscad
    • openscap
    • openscreen
    • openscad-lsp
    • openscenegraph
    • openscad-unstable
    • kakounePlugins.openscad-kak
    • vscode-extensions.antyos.openscad
    • tree-sitter-grammars.tree-sitter-openscad
    • python313Packages.tree-sitter-grammars.tree-sitter-openscad
    • python314Packages.tree-sitter-grammars.tree-sitter-openscad
    1 month, 3 weeks ago
  • @mweinelt accepted 1 month, 3 weeks ago
  • @mweinelt published on GitHub 1 month, 3 weeks ago
OpenSC: Stack-buffer-overflow WRITE in card-oberthur

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow WRITE in card-oberthur. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.

Affected products

OpenSC
  • ==< 0.27.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

Ignored packages (11)

pkgs.openscreen

Free, open-source alternative to Screen Studio (sort of)

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Package maintainers

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5fc-cw56-hwp2
Published
Permalink CVE-2025-66037
3.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @mweinelt ignored
    11 packages
    • openscad
    • openscap
    • openscreen
    • openscad-lsp
    • openscenegraph
    • openscad-unstable
    • kakounePlugins.openscad-kak
    • vscode-extensions.antyos.openscad
    • tree-sitter-grammars.tree-sitter-openscad
    • python313Packages.tree-sitter-grammars.tree-sitter-openscad
    • python314Packages.tree-sitter-grammars.tree-sitter-openscad
    1 month, 3 weeks ago
  • @mweinelt accepted 1 month, 3 weeks ago
  • @mweinelt published on GitHub 1 month, 3 weeks ago
OpenSC: Out of Bounds vulnerability

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, feeding a crafted input to the fuzz_pkcs15_reader harness causes OpenSC to perform an out-of-bounds heap read in the X.509/SPKI handling path. Specifically, sc_pkcs15_pubkey_from_spki_fields() allocates a zero-length buffer and then reads one byte past the end of that allocation. This issue has been patched in version 0.27.0.

Affected products

OpenSC
  • ==< 0.27.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

Ignored packages (11)

pkgs.openscreen

Free, open-source alternative to Screen Studio (sort of)

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Package maintainers

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-m58q-rmjm-mmfx
Published
Permalink CVE-2025-49010
3.8 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @mweinelt ignored
    12 packages
    • python313Packages.tree-sitter-grammars.tree-sitter-openscad
    • python314Packages.tree-sitter-grammars.tree-sitter-openscad
    • openscad
    • openscap
    • openscreen
    • openscad-lsp
    • openscenegraph
    • openscad-unstable
    • opensc
    • tree-sitter-grammars.tree-sitter-openscad
    • vscode-extensions.antyos.openscad
    • kakounePlugins.openscad-kak
    1 month, 3 weeks ago
  • @mweinelt restored package opensc 1 month, 3 weeks ago
  • @mweinelt accepted 1 month, 3 weeks ago
  • @mweinelt published on GitHub 1 month, 3 weeks ago
OpenSC: Stack-buffer-overflow WRITE in GET RESPONSE

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0.

Affected products

OpenSC
  • ==< 0.27.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

Ignored packages (11)

pkgs.openscreen

Free, open-source alternative to Screen Studio (sort of)

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Package maintainers

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4
Published
Permalink CVE-2025-66038
3.9 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Physical (P)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Physical (P)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 month, 3 weeks ago by @mweinelt Activity log
  • Created suggestion 1 month, 3 weeks ago
  • @mweinelt ignored
    11 packages
    • openscad
    • openscap
    • openscreen
    • openscad-lsp
    • openscenegraph
    • openscad-unstable
    • kakounePlugins.openscad-kak
    • vscode-extensions.antyos.openscad
    • tree-sitter-grammars.tree-sitter-openscad
    • python313Packages.tree-sitter-grammars.tree-sitter-openscad
    • python314Packages.tree-sitter-grammars.tree-sitter-openscad
    1 month, 3 weeks ago
  • @mweinelt accepted 1 month, 3 weeks ago
  • @mweinelt published on GitHub 1 month, 3 weeks ago
OpenSC: `sc_compacttlv_find_tag` can return out-of-bounds pointers

OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer. This issue has been patched in version 0.27.0.

Affected products

OpenSC
  • ==< 0.27.0

Matching in nixpkgs

pkgs.opensc

Set of libraries and utilities to access smart cards

Ignored packages (11)

pkgs.openscreen

Free, open-source alternative to Screen Studio (sort of)

pkgs.openscad-lsp

LSP (Language Server Protocol) server for OpenSCAD

Package maintainers

https://github.com/OpenSC/OpenSC/security/advisories/GHSA-72x5-fwjx-2459