Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678580 (CVE-2018-20340) - <app-crypt/libu2f-host-1.1.10: library security release (CVE-2018-20340)
Summary: <app-crypt/libu2f-host-1.1.10: library security release (CVE-2018-20340)
Status: RESOLVED FIXED
Alias: CVE-2018-20340
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.yubico.com/support/securi...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-22 13:51 UTC by Gabriel
Modified: 2020-04-30 23:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriel 2019-02-22 13:51:35 UTC
There is a new security release (1.1.7) of libuf2-host on 
https://developers.yubico.com/libu2f-host/Releases/libu2f-host-1.1.7.tar.xz

Libu2f-host prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. Libu2f-host is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with libu2f-host integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges.

Reproducible: Always




I mailed crypto@gentoo.org a month ago but received no feedback.

Please bump your package to protect your users.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 07:41:49 UTC
The fix for this version as per YubiKey is: Version 1.1.7 (released 2019-01-08)
Current released version is: Version 1.1.9 (released 2019-03-06)

Maintainers, can you please act on this as soon as possible.
Comment 2 Larry the Git Cow gentoo-dev 2019-06-05 20:05:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a1fc80ba7e47494400019c924245aff51b8307e

commit 1a1fc80ba7e47494400019c924245aff51b8307e
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-05 20:00:59 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-05 20:05:25 +0000

    app-crypt/libu2f-host: bump to 1.1.10
    
    Bug: https://bugs.gentoo.org/678580
    Bug: https://bugs.gentoo.org/679724
    Package-Manager: Portage-2.3.67, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/libu2f-host/Manifest                  |  1 +
 app-crypt/libu2f-host/libu2f-host-1.1.10.ebuild | 47 +++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2019-06-08 19:09:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51323d25822747871328d2d8578f48cdd5dbe8c5

commit 51323d25822747871328d2d8578f48cdd5dbe8c5
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-08 19:08:27 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-08 19:08:27 +0000

    app-crypt/libu2f-host: remove old vulnerable #678580 #679724
    
    Bug: https://bugs.gentoo.org/678580
    Bug: https://bugs.gentoo.org/679724
    Package-Manager: Portage-2.3.67, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/libu2f-host/Manifest                 |  3 --
 app-crypt/libu2f-host/libu2f-host-1.1.1.ebuild | 63 --------------------------
 app-crypt/libu2f-host/libu2f-host-1.1.3.ebuild | 55 ----------------------
 app-crypt/libu2f-host/libu2f-host-1.1.6.ebuild | 55 ----------------------
 4 files changed, 176 deletions(-)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-16 07:15:47 UTC
GLSA Vote: Yes
New GLSA Request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:14:17 UTC
This issue was resolved and addressed in
 GLSA 202004-15 at https://security.gentoo.org/glsa/202004-15
by GLSA coordinator Thomas Deutschmann (whissi).