Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679724 (CVE-2019-9578) - <app-crypt/libu2f-host-1.1.10: Unspecified vulnerability (CVE-2019-9578)
Summary: <app-crypt/libu2f-host-1.1.10: Unspecified vulnerability (CVE-2019-9578)
Status: RESOLVED FIXED
Alias: CVE-2019-9578
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-07 22:34 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-30 23:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-03-07 22:34:40 UTC
CVE-2019-9578 (https://nvd.nist.gov/vuln/detail/CVE-2019-9578):
  In devs.c in Yubico libu2f-host before 1.1.8, the response to init is
  misparsed, leaking uninitialized stack memory back to the device.


Please remove all previous version. They are masked, but as time permits please put up the new version and remove the ones that are vulnerable
Comment 1 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-03-08 18:26:15 UTC
This is actually _affects_ stable
Comment 2 Larry the Git Cow gentoo-dev 2019-06-05 20:05:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a1fc80ba7e47494400019c924245aff51b8307e

commit 1a1fc80ba7e47494400019c924245aff51b8307e
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-05 20:00:59 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-05 20:05:25 +0000

    app-crypt/libu2f-host: bump to 1.1.10
    
    Bug: https://bugs.gentoo.org/678580
    Bug: https://bugs.gentoo.org/679724
    Package-Manager: Portage-2.3.67, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/libu2f-host/Manifest                  |  1 +
 app-crypt/libu2f-host/libu2f-host-1.1.10.ebuild | 47 +++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2019-06-08 19:09:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51323d25822747871328d2d8578f48cdd5dbe8c5

commit 51323d25822747871328d2d8578f48cdd5dbe8c5
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-08 19:08:27 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-08 19:08:27 +0000

    app-crypt/libu2f-host: remove old vulnerable #678580 #679724
    
    Bug: https://bugs.gentoo.org/678580
    Bug: https://bugs.gentoo.org/679724
    Package-Manager: Portage-2.3.67, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/libu2f-host/Manifest                 |  3 --
 app-crypt/libu2f-host/libu2f-host-1.1.1.ebuild | 63 --------------------------
 app-crypt/libu2f-host/libu2f-host-1.1.3.ebuild | 55 ----------------------
 app-crypt/libu2f-host/libu2f-host-1.1.6.ebuild | 55 ----------------------
 4 files changed, 176 deletions(-)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-16 07:16:03 UTC
GLSA Vote: Yes
Added to an existing GLSA Request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2020-04-30 23:14:26 UTC
This issue was resolved and addressed in
 GLSA 202004-15 at https://security.gentoo.org/glsa/202004-15
by GLSA coordinator Thomas Deutschmann (whissi).