679724 – (CVE-2019-9578) <app-crypt/libu2f-host-1.1.10: Unspecified vulnerability (CVE-2019-9578)

Bug 679724 (CVE-2019-9578) - <app-crypt/libu2f-host-1.1.10: Unspecified vulnerability (CVE-2019-9578)

Summary: <app-crypt/libu2f-host-1.1.10: Unspecified vulnerability (CVE-2019-9578)

Status:	RESOLVED FIXED

Alias:	CVE-2019-9578

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-03-07 22:34 UTC by GLSAMaker/CVETool Bot
Modified:	2020-04-30 23:14 UTC (History)
CC List:	2 users (show)

See Also:	687476 CVE-2018-20340
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2019-03-07 22:34:40 UTC

CVE-2019-9578 (https://nvd.nist.gov/vuln/detail/CVE-2019-9578):
  In devs.c in Yubico libu2f-host before 1.1.8, the response to init is
  misparsed, leaking uninitialized stack memory back to the device.


Please remove all previous version. They are masked, but as time permits please put up the new version and remove the ones that are vulnerable

Comment 1 Mikle Kolyada (RETIRED) archtester

2019-03-08 18:26:15 UTC

This is actually _affects_ stable

Comment 2 Larry the Git Cow gentoo-dev

2019-06-05 20:05:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a1fc80ba7e47494400019c924245aff51b8307e

commit 1a1fc80ba7e47494400019c924245aff51b8307e
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-05 20:00:59 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-05 20:05:25 +0000

    app-crypt/libu2f-host: bump to 1.1.10
    
    Bug: https://bugs.gentoo.org/678580
    Bug: https://bugs.gentoo.org/679724
    Package-Manager: Portage-2.3.67, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/libu2f-host/Manifest                  |  1 +
 app-crypt/libu2f-host/libu2f-host-1.1.10.ebuild | 47 +++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2019-06-08 19:09:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51323d25822747871328d2d8578f48cdd5dbe8c5

commit 51323d25822747871328d2d8578f48cdd5dbe8c5
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-08 19:08:27 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-08 19:08:27 +0000

    app-crypt/libu2f-host: remove old vulnerable #678580 #679724
    
    Bug: https://bugs.gentoo.org/678580
    Bug: https://bugs.gentoo.org/679724
    Package-Manager: Portage-2.3.67, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-crypt/libu2f-host/Manifest                 |  3 --
 app-crypt/libu2f-host/libu2f-host-1.1.1.ebuild | 63 --------------------------
 app-crypt/libu2f-host/libu2f-host-1.1.3.ebuild | 55 ----------------------
 app-crypt/libu2f-host/libu2f-host-1.1.6.ebuild | 55 ----------------------
 4 files changed, 176 deletions(-)

Comment 4 Yury German Gentoo Infrastructure

2020-04-16 07:16:03 UTC

GLSA Vote: Yes
Added to an existing GLSA Request.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2020-04-30 23:14:26 UTC

This issue was resolved and addressed in
 GLSA 202004-15 at https://security.gentoo.org/glsa/202004-15
by GLSA coordinator Thomas Deutschmann (whissi).