Bug#932518: buster-pu: package yubikey-personalization/1.19.3-3

Nicolas Braud-Santoni Sat, 20 Jul 2019 03:36:22 -0700

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Control: block 931081 by -1


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I prepared an update for buster, that:
1. fixes the stretch->buster upgrade bug (#931081) found by anbe@ ;
2. backports security fixes from upstream.

Regarding (2), upstream (Yubico) did not issue a security advisory, there is
no CVE or DSA assigned, and the issues aren't yet known to be exploitable;
as such, I believe this is suitable for -pu (as opposed to the security queue).

Please find the debdiff attached.


Best,

  nicoo

- -- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0y7fQRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7MstVg//ddknDHdLMSHafKswkys01Yx0YeIHAYBk
N1p9hDRoqHrCexc3f4JDnWTGxte8u0XiqzkWvHQ/H2+ugw2fDSHhMrxQ2TNszyaX
Qvg1/iiPGrG1N/qnyvhfcORPfgG5zcqOluhpbCnnb9/dteOcPe9KufsCEIIm97Sz
82ge2+I86cmtCYN4LNxsfLsoSOBOfOPkXh+AaEGoZe3sBdlEzB2V9qHlk+yRqftj
A99gmdXcMo5Zd9imnSwEc1E7rEYnbydt0R1EllzE6N1EbZKTV0jgONJ3AittfF4N
SukcYbynyjztuJeLO58KAjuzx0A+y2+U0geDrG/kJCRmWvNb5SkUU4C4A1cYyn52
BjVeSE30avmYUTMHZj/F9c7jDltgieAKKi+BeRgV4Zv7QyanHvGUw6nlVE2X3POE
K9rvet1mMZStY/prqFzcZNNxcfGmZnTnbhebAFt84Jfzl3aKLr0dsrsSot8tJ17V
Rpzxcp+o85PvOt0GsjqRLql2L8sxUrWsvN+7Yr92DjscSTb8CEuNjvISASrYALIL
uNdIQhrzPMR5uACrSQ0TOAtPH05bAeYX4BMzEcaDd+XfXLRrbVGcJOk2uQ3jN+2w
VL0G4jjkJyMyDUJTp0HguWdpEcMNV72Xn4pqR0sSLl4WIMesbZB+74mkJY3DucoO
7DjFa7ALoME=
=5TeZ
-----END PGP SIGNATURE-----

diff -Nru yubikey-personalization-1.19.3/debian/changelog 
yubikey-personalization-1.19.3/debian/changelog
--- yubikey-personalization-1.19.3/debian/changelog     2019-04-06 
21:34:23.000000000 +0200
+++ yubikey-personalization-1.19.3/debian/changelog     2019-07-20 
11:43:51.000000000 +0200
@@ -1,3 +1,11 @@
+yubikey-personalization (1.19.3-3+deb10u1) buster-proposed-updates; 
urgency=medium
+
+  * Backport security improvements from v1.20.0
+  * debian/control: Add missing Break+Replaces on libyubikey-udev
+    Closes: #931081
+
+ -- Nicolas Braud-Santoni <ni...@debian.org>  Sat, 20 Jul 2019 11:43:51 +0200
+
 yubikey-personalization (1.19.3-3) unstable; urgency=high (fixes RC bug)
 
   [ Nicolas Braud-Santoni ]
diff -Nru yubikey-personalization-1.19.3/debian/control 
yubikey-personalization-1.19.3/debian/control
--- yubikey-personalization-1.19.3/debian/control       2019-04-06 
21:34:23.000000000 +0200
+++ yubikey-personalization-1.19.3/debian/control       2019-07-20 
11:43:51.000000000 +0200
@@ -63,6 +63,8 @@
 Multi-Arch: foreign
 Section: libs
 Depends: ${misc:Depends}, udev
+Breaks:   libykpers-1-1 (<< 1.19.3)
+Replaces: libykpers-1-1 (<< 1.19.3)
 Description: udev rules for unprivileged access to YubiKeys
  YubiKeys are USB tokens that act like keyboards and generate one-time
  or static passwords.
diff -Nru 
yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch
 
yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch
--- 
yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch
       2019-07-20 11:43:51.000000000 +0200
@@ -0,0 +1,33 @@
+Subject: Clear potentially sensitive material from stack allocated buffer
+
+---
+ ykpers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ykpers.c b/ykpers.c
+index 47722e0..7941d0e 100644
+From: Gabriel Kihlman <g.kihl...@yubico.com>
+Origin: commit:5b2973378aa20c20dadfd16f23df8e692e9edc95
+Applied-Upstream: 731d6b5cee16670e896ceddd8badb3704f1664da
+Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
+Last-Update: 2019-07-20
+
+--- a/ykpers.c
++++ b/ykpers.c
+@@ -32,6 +32,7 @@
+ #include "ykpbkdf2.h"
+ #include "yktsd.h"
+ #include "ykpers-json.h"
++#include "ykcore/ykbzero.h"
+ 
+ #include <ykpers.h>
+ 
+@@ -408,7 +409,7 @@ int ykp_AES_key_from_passphrase(YKP_CONFIG *cfg, const 
char *passphrase,
+                       }
+               }
+ 
+-              memset (buf, 0, sizeof(buf));
++              insecure_memzero (buf, sizeof(buf));
+               return rc;
+       }
+       return 0;
diff -Nru 
yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch
 
yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch
--- 
yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch
       2019-07-20 11:43:51.000000000 +0200
@@ -0,0 +1,39 @@
+Subject: Tighten the salt_len check to avoid a potential stack buf overwrite
+ further down.
+
+If salt_len was 256:
+
+ for (block_count = 1; block_count <= l; block_count++) {
+                unsigned char block[256]; /* A big chunk, that's 2048 bits */
+[ ... ]
+
+                memcpy(block, salt, salt_len);
+                block[salt_len + 0] = (block_count & 0xff000000) >> 24;
+                block[salt_len + 1] = (block_count & 0x00ff0000) >> 16;
+                block[salt_len + 2] = (block_count & 0x0000ff00) >>  8;
+                block[salt_len + 3] = (block_count & 0x000000ff) >>  0;
+
+        block[256] is outside the buffer and then the next lines would 
overwrite 3 more bytes
+---
+ ykpbkdf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ykpbkdf2.c b/ykpbkdf2.c
+index 8ca371c..76a58aa 100644
+From: Gabriel Kihlman <g.kihl...@yubico.com>
+Origin: commit:f0ae7670a4f5b04419a85855b9cb889d19826d46
+Applied-Upstream: ab1d270eb56674c7f08eacef88fca66d12a461f6
+Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
+Last-Update: 2019-07-20
+
+--- a/ykpbkdf2.c
++++ b/ykpbkdf2.c
+@@ -54,7 +54,7 @@ int yk_pbkdf2(const char *passphrase,
+             unsigned char *dk, size_t dklen,
+             YK_PRF_METHOD *prf_method)
+ {
+-      if (salt_len > 256) {
++      if (salt_len > (255 - 4)) {
+               return 0;
+       }
+       size_t l = ((dklen - 1 + prf_method->output_size)
diff -Nru yubikey-personalization-1.19.3/debian/patches/series 
yubikey-personalization-1.19.3/debian/patches/series
--- yubikey-personalization-1.19.3/debian/patches/series        1970-01-01 
01:00:00.000000000 +0100
+++ yubikey-personalization-1.19.3/debian/patches/series        2019-07-20 
11:43:51.000000000 +0200
@@ -0,0 +1,2 @@
+0001-Clear-potentially-sensitive-material-from-stack-allo.patch
+0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch

Bug#932518: buster-pu: package yubikey-personalization/1.19.3-3

Reply via email to