CVE-2016-10109

NameCVE-2016-10109
DescriptionUse-after-free vulnerability in pcsc-lite before 1.8.20 allows a remote attackers to cause denial of service (crash) via a command that uses "cardsList" after the handle has been released through the SCardReleaseContext function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-778-1, DSA-3752-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pcsc-lite (PTS)buster1.8.24-1fixed
bullseye1.9.1-1fixed
bookworm1.9.9-2fixed
trixie2.0.1-1fixed
sid2.0.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pcsc-litesourcewheezy1.8.4-1+deb7u2DLA-778-1
pcsc-litesourcejessie1.8.13-1+deb8u1DSA-3752-1
pcsc-litesource(unstable)1.8.20-1

Notes

https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22
https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=3aaab9d998b5deb16a246cc7517e44144d281d3b
https://www.openwall.com/lists/oss-security/2017/01/03/2
Search for package or bug name: Reporting problems