Anthropic wrote a blog post about their LLM finding 0days in open source projects.

@reverseics correct. This data is read from objects on card/tokens. Therefore it requires a physical access to the system, plugging (malicious) stuff to USBs and having the system running opensc handling the desktop login (in most cases). Most of the issues we had over last couple of years fall into this attack vector category (and this was certainly not the last one).

This part of the PIV specs is something ancient logic hopefully not used by anyone these days (but code is there), that was saving the space on cards by allowing to have a certificate saved externally on disk.

@reverseics what you are looking at is already the revision that has one of the fix for the issue applied. The Anthropic reported this issue before the https://github.com/OpenSC/OpenSC/pull/3558 was applied. The fix https://github.com/OpenSC/OpenSC/pull/3554 was mostly hardening as the strcat() is really a magnet for anything security relevant (regardless if it is an static analysis or AI scanner).