📖 ~4 min read • Source: SUSE advisory SUSE-SR:2011:003 (see also SUSE bugzilla)
Related CVEs: CVE-2010-4530
Upstream summary: Signedness error in ccid_serial.c in libccid in the USB Chip/Smart Card Interface Devices (CCID) driver, as used in pcscd in PCSC-Lite 1.5.3 and possibly other products, allows physically proximate attackers to execute arbitrary code via a smart card with a crafted serial number that causes a negative value to be used in a memcpy operation, which triggers a buffer overflow. NOTE: some sources refer to this issue as an integer overflow.
Table of contents
Symptom & Impact
On SLES 12 hosts running pcsc-ccid, administrators report behaviour consistent with SUSE advisory SUSE-SR:2011:003: zypper refusing to install or restart affected services, AppArmor profile warnings in journalctl, and — for security-rated advisories — exposure to the vulnerability set above. In production estates the visible impact ranges from a single service restart to wider availability incidents whenever pcsc-ccid sits on the serving path.
Environment & Reproduction
Reproduction targets SLES 12. Confirm release with cat /etc/os-release and SUSEConnect --status-text, and the currently installed package with rpm -q pcsc-ccid. Capture system state with supportconfig -R /var/tmp -B pcsc-ccid if you need to attach evidence to a SUSE support case. Trigger the workflow that exposes pcsc-ccid — vulnerability — patch and remediation guide while collecting journalctl -b, zypper history, and rpm -qa output.
Root Cause Analysis
Root cause is documented in SUSE advisory SUSE-SR:2011:003. Upstream maintainers shipped fixes in the corresponding pcsc-ccid update for SLES 12; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate journalctl --since timestamps with zypper history entries and any AppArmor denials in /var/log/audit/audit.log to isolate the originating change.
Quick Triage
Quick triage: run systemctl status pcsc-ccid, journalctl -u pcsc-ccid -n 200, zypper patch-check, zypper lp, firewall-cmd --list-all, and aa-status. If AppArmor is in enforce mode, capture journalctl -k | grep apparmor to surface denials linked to pcsc-ccid — vulnerability — patch and remediation guide.
Step-by-Step Diagnosis
1) Confirm symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u pcsc-ccid. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check AppArmor: aa-status and journalctl -k | grep apparmor. 5) Verify package integrity: rpm -V pcsc-ccid and zypper verify. 6) Correlate findings with zypper history, /var/log/zypp/history, and SUSE advisory SUSE-SR:2011:003 to pin the change that introduced pcsc-ccid — vulnerability — patch and remediation guide.
Solution – Primary Fix
Primary fix for pcsc-ccid — vulnerability — patch and remediation guide: apply the corrective zypper transaction described in SUSE advisory SUSE-SR:2011:003, reload the affected systemd unit, and reconcile firewalld and AppArmor state. Typical commands: sudo zypper ref, sudo zypper -n patch or sudo zypper -n update pcsc-ccid, sudo systemctl daemon-reload, sudo systemctl restart pcsc-ccid, then rpm -q pcsc-ccid to validate the new build is installed. For kernel advisories add sudo systemctl reboot or schedule a Live Patch (kgraft/klp) where covered by your SUSE subscription.
Need help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with zero-downtime change controls. Get in touch for a free consultation.
Solution – Alternative Approaches
Alternatives include rolling back the offending transaction with sudo zypper history --rollback <id> (Btrfs Snapper snapshots make this safe on SLES 12), locking the package via sudo zypper al pcsc-ccid, switching firewalld backends between nftables and iptables in /etc/firewalld/firewalld.conf, or temporarily disabling the AppArmor profile with sudo aa-disable /etc/apparmor.d/usr.sbin.pcsc-ccid to confirm policy is the cause before authoring a custom profile. Where Live Patching is licensed, klp patches applies kernel fixes without reboot.
Verification & Acceptance Criteria
Acceptance: rpm -q pcsc-ccid shows the expected fixed version, systemctl is-active pcsc-ccid returns active, journalctl -u pcsc-ccid --since "5 minutes ago" shows no errors, zypper patch-check reports zero open patches for this advisory, firewall-cmd --list-services includes the required services, aa-status reports the intended profile mode, and the original reproduction steps for pcsc-ccid — vulnerability — patch and remediation guide no longer trigger the failure across two consecutive runs.
Rollback Plan
Capture state with zypper history list, snapper list, and rpm -qa > /root/rpm-pre.txt before any change. To revert, run sudo snapper undochange <pre>..<post> on Btrfs deployments or sudo zypper install --oldpackage pcsc-ccid-<old-version> and reload systemctl daemon-reload. Remove custom AppArmor profiles with sudo apparmor_parser -R. Reboot if the kernel or initramfs was changed and re-verify symptoms.
Prevention & Hardening
Prevent recurrence by enabling automatic security patches with zypper-automatic or YaST > Online Update Configuration, subscribing to the SUSE-SU mailing list, mirroring through SUSE Manager / RMT for controlled rollouts, version-locking sensitive packages with zypper al, and monitoring file integrity with aide --check. Apply CIS SLES 12 hardening, enable Snapper rollbacks on Btrfs root, and where supported enable SUSE Live Patching so future advisories like this can be remediated without reboot.
Related Errors & Cross-Refs
Related issues that commonly surface alongside pcsc-ccid — vulnerability — patch and remediation guide: zypper transaction lock contention, systemd unit ordering cycles, AppArmor denials in journalctl -k, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this SLES 12 series for adjacent failure modes.
View all sles-12 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: SUSE advisory SUSE-SR:2011:003 (see also SUSE bugzilla). Supporting docs: SUSE Linux Enterprise Server Administration Guide, man zypper, man systemctl, man firewall-cmd, man aa-status, man snapper, man journalctl, the SUSE patch finder at suse.com/patches/, and the SUSE Live Patching documentation. Review /usr/share/doc/packages/pcsc-ccid/ for component-level notes implicated in pcsc-ccid — vulnerability — patch and remediation guide.
