There is a new security release (1.1.7) of libuf2-host on https://developers.yubico.com/libu2f-host/Releases/libu2f-host-1.1.7.tar.xz Libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges. Reproducible: Always I mailed crypto@gentoo.org a month ago but received no feedback. Please bump your package to protect your users.
The fix for this version as per YubiKey is: Version 1.1.7 (released 2019-01-08) Current released version is: Version 1.1.9 (released 2019-03-06) Maintainers, can you please act on this as soon as possible.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a1fc80ba7e47494400019c924245aff51b8307e commit 1a1fc80ba7e47494400019c924245aff51b8307e Author: Göktürk Yüksek <gokturk@gentoo.org> AuthorDate: 2019-06-05 20:00:59 +0000 Commit: Göktürk Yüksek <gokturk@gentoo.org> CommitDate: 2019-06-05 20:05:25 +0000 app-crypt/libu2f-host: bump to 1.1.10 Bug: https://bugs.gentoo.org/678580 Bug: https://bugs.gentoo.org/679724 Package-Manager: Portage-2.3.67, Repoman-2.3.12 Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org> app-crypt/libu2f-host/Manifest | 1 + app-crypt/libu2f-host/libu2f-host-1.1.10.ebuild | 47 +++++++++++++++++++++++++ 2 files changed, 48 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51323d25822747871328d2d8578f48cdd5dbe8c5 commit 51323d25822747871328d2d8578f48cdd5dbe8c5 Author: Göktürk Yüksek <gokturk@gentoo.org> AuthorDate: 2019-06-08 19:08:27 +0000 Commit: Göktürk Yüksek <gokturk@gentoo.org> CommitDate: 2019-06-08 19:08:27 +0000 app-crypt/libu2f-host: remove old vulnerable #678580 #679724 Bug: https://bugs.gentoo.org/678580 Bug: https://bugs.gentoo.org/679724 Package-Manager: Portage-2.3.67, Repoman-2.3.12 Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org> app-crypt/libu2f-host/Manifest | 3 -- app-crypt/libu2f-host/libu2f-host-1.1.1.ebuild | 63 -------------------------- app-crypt/libu2f-host/libu2f-host-1.1.3.ebuild | 55 ---------------------- app-crypt/libu2f-host/libu2f-host-1.1.6.ebuild | 55 ---------------------- 4 files changed, 176 deletions(-)
GLSA Vote: Yes New GLSA Request filed.
This issue was resolved and addressed in GLSA 202004-15 at https://security.gentoo.org/glsa/202004-15 by GLSA coordinator Thomas Deutschmann (whissi).
