opencryptoki-3.22.0-3.el8_10.3

エラータID: AXSA:2026-797:04

リリース日: 
2026/06/18 Thursday - 16:42
題名: 
opencryptoki-3.22.0-3.el8_10.3
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.

Security Fix(es):

* openCryptoki: openCryptoki: Information disclosure and Denial of Service via malformed BER-encoded cryptographic objects (CVE-2026-40253)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-40253
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them against actual buffer boundaries. All primitive decoders are affected: ber_decode_INTEGER, ber_decode_SEQUENCE, ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE. Additionally, ber_decode_INTEGER can produce integer underflows when the encoded length is zero. An attacker supplying a malformed BER-encoded cryptographic object through PKCS#11 operations such as C_CreateObject or C_UnwrapKey, token loading from disk, or remote backend communication can trigger out-of-bounds reads. This affects all token backends (Soft, ICA, CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared common library. A patch is available thorugh commit ed378f463ef73364c89feb0fc923f4dc867332a3.

解決策: 

Update packages.

CVE: 
CVE-2026-40253
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them against actual buffer boundaries. All primitive decoders are affected: ber_decode_INTEGER, ber_decode_SEQUENCE, ber_decode_OCTET_STRING, ber_decode_BIT_STRING, and ber_decode_CHOICE. Additionally, ber_decode_INTEGER can produce integer underflows when the encoded length is zero. An attacker supplying a malformed BER-encoded cryptographic object through PKCS#11 operations such as C_CreateObject or C_UnwrapKey, token loading from disk, or remote backend communication can trigger out-of-bounds reads. This affects all token backends (Soft, ICA, CCA, TPM, EP11, ICSF) since the vulnerable code is in the shared common library. A patch is available thorugh commit ed378f463ef73364c89feb0fc923f4dc867332a3.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. opencryptoki-3.22.0-3.el8_10.3.src.rpm
    MD5: b75688c2f3be2c47b83b7ac2c30b4afa
    SHA-256: 0a80240b5df99c0329e2bb371666b96aea14fabf5080c1199e2246cad63e6b38
    Size: 1.80 MB

Asianux Server 8 for x86_64
  1. opencryptoki-3.22.0-3.el8_10.3.x86_64.rpm
    MD5: bce6cfbaec3f2beb802c074426366810
    SHA-256: 7cca77c1c7e56ea7dd8afc7a2a636e675023b546bd6beedfbb4cdcaacb263be7
    Size: 233.85 kB
  2. opencryptoki-devel-3.22.0-3.el8_10.3.i686.rpm
    MD5: f969c82f390105cd7829bff54517bebe
    SHA-256: a9a7a222bc6adb498ba1236517192770c988dabb56d22f414af60e28fac050b3
    Size: 38.82 kB
  3. opencryptoki-devel-3.22.0-3.el8_10.3.x86_64.rpm
    MD5: 4c06ae5684959a036e37a682a50ed2ce
    SHA-256: dad89e7e3f800751a421e4634508a48e26a7196856833567adde814b28dd3a48
    Size: 38.79 kB
  4. opencryptoki-icsftok-3.22.0-3.el8_10.3.x86_64.rpm
    MD5: eabe46bb0bcb4d959ea528cea619923a
    SHA-256: 3fdd6cb7770a06cff3cec93a0ef6c96e7b064513b7c7d94e6670edc5530a11dd
    Size: 347.00 kB
  5. opencryptoki-libs-3.22.0-3.el8_10.3.i686.rpm
    MD5: 58aa7950559ef1b0ae113ebfe0626d3f
    SHA-256: 3cae222686c5aa62f1ace855f4f308c0ae4337c18496e6022b680d874c9e20b5
    Size: 98.24 kB
  6. opencryptoki-libs-3.22.0-3.el8_10.3.x86_64.rpm
    MD5: a382b047db6331d69455b73fd5e1a152
    SHA-256: 7eb52a1e75f2fcc52e5c90cdf70d1b64f1d8e075d1b1a016aa02da8a8465b733
    Size: 101.13 kB
  7. opencryptoki-swtok-3.22.0-3.el8_10.3.x86_64.rpm
    MD5: cf009d019a47ebd1d1de08d8e17558c1
    SHA-256: d47b889c964ec84c65b4ec9c961a6ce4452a5d202d6d96504fe0a092e16be2e4
    Size: 266.80 kB
  8. opencryptoki-tpmtok-3.22.0-3.el8_10.3.x86_64.rpm
    MD5: abcaa4221362001297723e2443f7e817
    SHA-256: a9a75a008c60f3586b435ad5a3e4d17c15d504e271c4c60d62b05774be95818f
    Size: 282.62 kB