Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure

[Eli Schwartz <eschwartz () gentoo org>]

On 2/20/26 8:17 AM, Joe Malcolm wrote:
> Many will have seen the recent post from Anthropic (1) and 
> associated reporting that says they found 500+ vulnerabilities and 
> lists 3 of them.  These three issues don’t appear to have CVEs and 
> two don’t appear in releases. I don’t know if that indicates the 
> maintainers don't agree with the significance of these findings, but 
> I wonder if the other 498+ vulnerabilities also lack CVEs.
>
> 1. For OpenSC, the commit appears to be:
>
> https://github.com/OpenSC/OpenSC/ 
> commit/9ab1daf21029dd18f8828d684ee6151d9238edab
>
> There are no disclosed security issues more recent than 2024 at 
> https://github.com/OpenSC/OpenSC/security and the last release was 
> OpenSC 0.26.1.

https://github.com/OpenSC/OpenSC/pull/3554


> The strcat is a magnet to any static analysis tools and CVEs. Lets
> get rid of that and replace it with the "safe" strlcat


I think this indicates they made the change solely because they were fed
up with "security report harassment" and hoped that by making a change
they saw as pointless, they could "defang" LLM tooling that reports "use
of xxx function *could* be buggy, you use the function, we shall report
it by assuming it is indeed buggy".

-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature