Advisories for Pypi/Libosdp package

2024

LibOSDP vulnerable to a null pointer deref in osdp_reply_name

Issue: At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare all of the range. On a case of an undefined reply id within the range, name will be null (name = names[reply_id - REPLY_ACK];). Null name will casue a crash on next line: if (name[0] == '\0') as null[0] is invalid. Attack: As this logic is not limited …

LibOSDP RMAC revert to the beginning of the session

Issues: SCS_14 is allowed on encrypted connection (osdp_phy.c) No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c) Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela ted change that should be done) Attack: Once RMAC_I message can be sent during a session, attacker …

LibOSDP RMAC revert to the beginning of the session

Issues: SCS_14 is allowed on encrypted connection (osdp_phy.c) No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c) Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela ted change that should be done) Attack: Once RMAC_I message can be sent during a session, attacker …