Bug#921725: libu2f-host: CVE-2018-20340

Fri, 08 Feb 2019 13:10:42 -0800 

Dear security team,

On Fri, Feb 08, 2019 at 08:23:10PM +0100, Nicolas Braud-Santoni wrote:
> On Fri, Feb 08, 2019 at 02:08:40PM +0100, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for libu2f-host.
> > 
> > CVE-2018-20340[0]:
> > buffer overflow
>
> I just uploaded a fixed version to unstable.
> I will see about backporting the fix to stretch.


I backported the fix and prepared an upload.
The debdiff is attached, and the commands used to produced it are documented 
below.

May I proceed with an upload to security-master?


Best,

  nicoo

-----

  $ dget 
http://deb.debian.org/debian/pool/main/libu/libu2f-host/libu2f-host_1.1.2-2.dsc
  [...]
  
  $ debdiff libu2f-host_1.1.2-2.dsc 
/opt/deb/buildarea/libu2f-host_1.1.2-2+deb9u1.dsc
  warning: extracting unsigned source package 
(/opt/deb/buildarea/libu2f-host_1.1.2-2+deb9u1.dsc)
  diff -Nru libu2f-host-1.1.2/debian/changelog 
libu2f-host-1.1.2/debian/changelog
  --- libu2f-host-1.1.2/debian/changelog  2016-09-23 20:42:49.000000000 +0200
  +++ libu2f-host-1.1.2/debian/changelog  2019-02-08 21:42:16.000000000 +0100
  @@ -1,3 +1,9 @@
  +libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high
  +
  +  * Backport patch for CVE-2018-20340 (Closes: #921725)
  +
  + -- Nicolas Braud-Santoni <ni...@debian.org>  Fri, 08 Feb 2019 21:42:16 +0100
  +
   libu2f-host (1.1.2-2) unstable; urgency=medium
   
     * debian/control: Move the packaging repo to Alioth
  diff -Nru libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch 
libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch
  --- libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch   1970-01-01 
01:00:00.000000000 +0100
  +++ libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch   2019-02-08 
21:42:16.000000000 +0100
  @@ -0,0 +1,46 @@
  +Subject: Fix CVE-2018-20340
  +
  +Origin: upstream, 
https://github.com/Yubico/libu2f-host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27
  +Bug-Debian: https://bugs.debian.org/921725
  +From: Klas Lindfors <k...@yubico.com>
  +Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
  +Last-Update: 2019-02-08
  +Applied-Upstream: yes
  +
  +---
  + u2f-host/devs.c    | 5 +++++
  + u2f-host/u2fmisc.c | 5 +++++
  + 2 files changed, 10 insertions(+)
  +
  +diff --git a/u2f-host/devs.c b/u2f-host/devs.c
  +index 6f27c72..0c50882 100644
  +--- a/u2f-host/devs.c
  ++++ b/u2f-host/devs.c
  +@@ -247,6 +247,11 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
  +        &resplen) == U2FH_OK)
  +     {
  +       U2FHID_INIT_RESP initresp;
  ++      if (resplen > sizeof (initresp))
  ++        {
  ++          return U2FH_MEMORY_ERROR;
  ++        }
  ++
  +       memcpy (&initresp, resp, resplen);
  +       dev->cid = initresp.cid;
  +       dev->versionInterface = initresp.versionInterface;
  +diff --git a/u2f-host/u2fmisc.c b/u2f-host/u2fmisc.c
  +index 0be1adc..e17a6c3 100644
  +--- a/u2f-host/u2fmisc.c
  ++++ b/u2f-host/u2fmisc.c
  +@@ -306,6 +306,11 @@ u2fh_sendrecv (u2fh_devs * devs, unsigned index, 
uint8_t cmd,
  +                    frame.cont.seq, sequence);
  +           return U2FH_TRANSPORT_ERROR;
  +         }
  ++
  ++      if (recvddata + sizeof (frame.cont.data) > maxlen)
  ++        {
  ++          return U2FH_TRANSPORT_ERROR;
  ++        }
  +       memcpy (recv + recvddata, frame.cont.data, sizeof (frame.cont.data));
  +       recvddata += sizeof (frame.cont.data);
  +       }
  diff -Nru libu2f-host-1.1.2/debian/patches/series 
libu2f-host-1.1.2/debian/patches/series
  --- libu2f-host-1.1.2/debian/patches/series     1970-01-01 01:00:00.000000000 
+0100
  +++ libu2f-host-1.1.2/debian/patches/series     2019-02-08 21:42:16.000000000 
+0100
  @@ -0,0 +1 @@
  +Fix-CVE-2018-20340.patch

Format: 3.0 (quilt)
Source: libu2f-host
Binary: libu2f-host0, libu2f-host-dev, u2f-host
Architecture: any
Version: 1.1.2-2+deb9u1
Maintainer: Debian Authentication Maintainers 
<pkg-auth-maintain...@lists.alioth.debian.org>
Uploaders: Simon Josefsson <si...@josefsson.org>, Klas Lindfors 
<k...@yubico.com>, Dain Nilsson <d...@yubico.com>, Nicolas Braud-Santoni 
<nico...@braud-santoni.eu>
Homepage: https://developers.yubico.com/libu2f-host/
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/git/pkg-auth/libu2f-host.git/
Vcs-Git: https://anonscm.debian.org/git/pkg-auth/libu2f-host.git
Build-Depends: debhelper (>= 9), pkg-config, libglib2.0-dev, libhidapi-dev, 
libjson-c-dev, gengetopt, help2man, dh-autoreconf, gtk-doc-tools, dblatex
Package-List:
 libu2f-host-dev deb libdevel extra arch=any
 libu2f-host0 deb libs extra arch=any
 u2f-host deb utils extra arch=any
Checksums-Sha1:
 c3e6ebb9c48924c87d9fb4f41436620a36a8f064 456160 libu2f-host_1.1.2.orig.tar.xz
 1956c724599d688523f71171df335db2f3114517 61552 
libu2f-host_1.1.2-2+deb9u1.debian.tar.xz
Checksums-Sha256:
 5bcdfbc5e6f972da5395185b71de2272f9a397f0f0d431860e71545f52f1c56a 456160 
libu2f-host_1.1.2.orig.tar.xz
 4bf2a1135cfd8c4d28c586267c126948d7dca40655a7a713530a3287611a3abd 61552 
libu2f-host_1.1.2-2+deb9u1.debian.tar.xz
Files:
 92fde5650151623635e97287bd389592 456160 libu2f-host_1.1.2.orig.tar.xz
 129f13bdae5ef14ad516e94fdd69cee2 61552 libu2f-host_1.1.2-2+deb9u1.debian.tar.xz

diff -Nru libu2f-host-1.1.2/debian/changelog libu2f-host-1.1.2/debian/changelog
--- libu2f-host-1.1.2/debian/changelog	2016-09-23 20:42:49.000000000 +0200
+++ libu2f-host-1.1.2/debian/changelog	2019-02-08 21:42:16.000000000 +0100
@@ -1,3 +1,9 @@
+libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high
+
+  * Backport patch for CVE-2018-20340 (Closes: #921725)
+
+ -- Nicolas Braud-Santoni <ni...@debian.org>  Fri, 08 Feb 2019 21:42:16 +0100
+
 libu2f-host (1.1.2-2) unstable; urgency=medium
 
   * debian/control: Move the packaging repo to Alioth
diff -Nru libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch
--- libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/Fix-CVE-2018-20340.patch	2019-02-08 21:42:16.000000000 +0100
@@ -0,0 +1,46 @@
+Subject: Fix CVE-2018-20340
+
+Origin: upstream, https://github.com/Yubico/libu2f-host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27
+Bug-Debian: https://bugs.debian.org/921725
+From: Klas Lindfors <k...@yubico.com>
+Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
+Last-Update: 2019-02-08
+Applied-Upstream: yes
+
+---
+ u2f-host/devs.c    | 5 +++++
+ u2f-host/u2fmisc.c | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/u2f-host/devs.c b/u2f-host/devs.c
+index 6f27c72..0c50882 100644
+--- a/u2f-host/devs.c
++++ b/u2f-host/devs.c
+@@ -247,6 +247,11 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
+        &resplen) == U2FH_OK)
+     {
+       U2FHID_INIT_RESP initresp;
++      if (resplen > sizeof (initresp))
++        {
++          return U2FH_MEMORY_ERROR;
++        }
++
+       memcpy (&initresp, resp, resplen);
+       dev->cid = initresp.cid;
+       dev->versionInterface = initresp.versionInterface;
+diff --git a/u2f-host/u2fmisc.c b/u2f-host/u2fmisc.c
+index 0be1adc..e17a6c3 100644
+--- a/u2f-host/u2fmisc.c
++++ b/u2f-host/u2fmisc.c
+@@ -306,6 +306,11 @@ u2fh_sendrecv (u2fh_devs * devs, unsigned index, uint8_t cmd,
+ 		     frame.cont.seq, sequence);
+ 	    return U2FH_TRANSPORT_ERROR;
+ 	  }
++
++	if (recvddata + sizeof (frame.cont.data) > maxlen)
++	  {
++	    return U2FH_TRANSPORT_ERROR;
++	  }
+ 	memcpy (recv + recvddata, frame.cont.data, sizeof (frame.cont.data));
+ 	recvddata += sizeof (frame.cont.data);
+       }
diff -Nru libu2f-host-1.1.2/debian/patches/series libu2f-host-1.1.2/debian/patches/series
--- libu2f-host-1.1.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/series	2019-02-08 21:42:16.000000000 +0100
@@ -0,0 +1 @@
+Fix-CVE-2018-20340.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to