Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1

Nicolas Braud-Santoni Wed, 28 Aug 2019 13:54:27 -0700

On Wed, Aug 28, 2019 at 10:29:02PM +0200, Nicolas Braud-Santoni wrote:
> I would like to backport the following patches for libu2f-host to stretch:
> 
>   + Fix for CVE-2019-9578 (Closes: #923874)


I was confused, this is a minor security issue for which no CVE was assigned.
(CVE-2019-9578 / #923874 impacts stretch, and should be addressed in stretch-pu)

An updated debdiff is attached.


Best,

  nicoo

diff -Nru libu2f-host-1.1.9/debian/changelog libu2f-host-1.1.9/debian/changelog
--- libu2f-host-1.1.9/debian/changelog  2019-03-08 11:59:52.000000000 +0100
+++ libu2f-host-1.1.9/debian/changelog  2019-08-28 22:23:32.000000000 +0200
@@ -1,3 +1,19 @@
+libu2f-host (1.1.9-1+deb10u1) buster; urgency=medium
+
+  * Backport patches from upstream
+    + Fix for a minor security issue (uninitialized buffer access)
+    + Support for new hardware devices
+      - Kensington Verimark
+      - KeyID U2F
+      - Ledger Nano S and X
+      - Longmai mFIDO
+      - SoloKeys (Closes: #925274)
+      - Trezor
+
+  * Configure git-buildpackage for buster
+
+ -- Nicolas Braud-Santoni <ni...@debian.org>  Wed, 28 Aug 2019 22:23:32 +0200
+
 libu2f-host (1.1.9-1) unstable; urgency=high (security fix)
 
   * New upstream version 1.1.9
diff -Nru libu2f-host-1.1.9/debian/gbp.conf libu2f-host-1.1.9/debian/gbp.conf
--- libu2f-host-1.1.9/debian/gbp.conf   2019-03-08 11:59:52.000000000 +0100
+++ libu2f-host-1.1.9/debian/gbp.conf   2019-08-28 22:23:32.000000000 +0200
@@ -1,3 +1,7 @@
 [DEFAULT]
+debian-branch = debian/buster
 pristine-tar = True
 sign-tags = True
+
+[buildpackage]
+dist = buster
diff -Nru 
libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch
 
libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch
--- 
libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch
    2019-08-28 22:23:32.000000000 +0200
@@ -0,0 +1,62 @@
+Subject: Add udev rule for additional devices
+
++ Ledger Nano S and X
++ Kensington Verimark
++ Longmai mFIDO
++ KeyID U2F
++ SoloKeys
++ Trezor
+---
+ 70-u2f.rules | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/70-u2f.rules b/70-u2f.rules
+index 682e45f..8ab5bcf 100644
+Origin: vendor
+Bug-Debian: 925274
+From: Nicolas Stalder <n...@stalder.io>
+Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/70-u2f.rules
++++ b/70-u2f.rules
+@@ -25,10 +25,10 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", 
ATTRS{idVendor}=="2581", ATTRS{idProduct
+ # Neowave Keydo and Keydo AES
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", 
ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+-# HyperSecu HyperFIDO
++# HyperSecu HyperFIDO, KeyID U2F
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", 
ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+-# Feitian ePass FIDO, BioPass FIDO2
++# Feitian ePass FIDO, BioPass FIDO2, KeyID U2F
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", 
ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", 
TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+ # JaCarta U2F
+@@ -52,7 +52,23 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", 
ATTRS{idVendor}=="20a0", ATTRS{idProduct
+ # Google Titan U2F
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", 
ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+-# Tomu board + chopstx U2F
+-KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", 
ATTRS{idProduct}=="cdab", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++# Tomu board + chopstx U2F + SoloKeys
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", 
ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# SoloKeys
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", 
ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Trezor
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="534c", 
ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", 
ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Ledger Nano S and Nano X
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2c97", 
ATTRS{idProduct}=="0001|0004", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Kensington VeriMark
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="06cb", 
ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Longmai mFIDO
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="4c4d", 
ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+ LABEL="u2f_end"
diff -Nru 
libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch 
libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch
--- 
libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch  
    1970-01-01 01:00:00.000000000 +0100
+++ 
libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch  
    2019-08-28 22:23:32.000000000 +0200
@@ -0,0 +1,32 @@
+Subject: Initialize the respone buffer to 0
+
+Some of the code paths check if *response == NULL and if we end up at
+the end main without anything actually setting the response we might
+be printing random stack memory.
+
+Found by static code checker: "line 135: Potentially uninitialized buffer 
'response' used. Consider checking the first actual argument of the 'strlen' 
function."
+---
+ src/u2f-host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/u2f-host.c b/src/u2f-host.c
+index d8abdb4..f440558 100644
+Origin: vendor
+Bug: CVE-2019-9578
+Bug-Debian: 923874
+From: Gabriel Kihlman <g.kihl...@yubico.com>
+Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/src/u2f-host.c
++++ b/src/u2f-host.c
+@@ -33,7 +33,7 @@ main (int argc, char *argv[])
+   struct gengetopt_args_info args_info;
+   char challenge[BUFSIZ];
+   size_t chal_len;
+-  char response[2048];
++  char response[2048] = {0};
+   size_t response_len = sizeof (response);
+   u2fh_devs *devs = NULL;
+   u2fh_cmdflags flags = 0;
diff -Nru libu2f-host-1.1.9/debian/patches/series 
libu2f-host-1.1.9/debian/patches/series
--- libu2f-host-1.1.9/debian/patches/series     1970-01-01 01:00:00.000000000 
+0100
+++ libu2f-host-1.1.9/debian/patches/series     2019-08-28 22:23:32.000000000 
+0200
@@ -0,0 +1,2 @@
+0001-Add-udev-rule-for-additional-devices.patch
+0002-Initialize-the-respone-buffer-to-0.patch

signature.asc
Description: PGP signature

Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1

Reply via email to