On Wed, Aug 28, 2019 at 10:29:02PM +0200, Nicolas Braud-Santoni wrote: > I would like to backport the following patches for libu2f-host to stretch: > > + Fix for CVE-2019-9578 (Closes: #923874)
I was confused, this is a minor security issue for which no CVE was assigned. (CVE-2019-9578 / #923874 impacts stretch, and should be addressed in stretch-pu) An updated debdiff is attached. Best, nicoo
diff -Nru libu2f-host-1.1.9/debian/changelog libu2f-host-1.1.9/debian/changelog --- libu2f-host-1.1.9/debian/changelog 2019-03-08 11:59:52.000000000 +0100 +++ libu2f-host-1.1.9/debian/changelog 2019-08-28 22:23:32.000000000 +0200 @@ -1,3 +1,19 @@ +libu2f-host (1.1.9-1+deb10u1) buster; urgency=medium + + * Backport patches from upstream + + Fix for a minor security issue (uninitialized buffer access) + + Support for new hardware devices + - Kensington Verimark + - KeyID U2F + - Ledger Nano S and X + - Longmai mFIDO + - SoloKeys (Closes: #925274) + - Trezor + + * Configure git-buildpackage for buster + + -- Nicolas Braud-Santoni <ni...@debian.org> Wed, 28 Aug 2019 22:23:32 +0200 + libu2f-host (1.1.9-1) unstable; urgency=high (security fix) * New upstream version 1.1.9 diff -Nru libu2f-host-1.1.9/debian/gbp.conf libu2f-host-1.1.9/debian/gbp.conf --- libu2f-host-1.1.9/debian/gbp.conf 2019-03-08 11:59:52.000000000 +0100 +++ libu2f-host-1.1.9/debian/gbp.conf 2019-08-28 22:23:32.000000000 +0200 @@ -1,3 +1,7 @@ [DEFAULT] +debian-branch = debian/buster pristine-tar = True sign-tags = True + +[buildpackage] +dist = buster diff -Nru libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch --- libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch 1970-01-01 01:00:00.000000000 +0100 +++ libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch 2019-08-28 22:23:32.000000000 +0200 @@ -0,0 +1,62 @@ +Subject: Add udev rule for additional devices + ++ Ledger Nano S and X ++ Kensington Verimark ++ Longmai mFIDO ++ KeyID U2F ++ SoloKeys ++ Trezor +--- + 70-u2f.rules | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/70-u2f.rules b/70-u2f.rules +index 682e45f..8ab5bcf 100644 +Origin: vendor +Bug-Debian: 925274 +From: Nicolas Stalder <n...@stalder.io> +Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org> +Last-Update: 2019-08-28 +Applied-Upstream: yes + +--- a/70-u2f.rules ++++ b/70-u2f.rules +@@ -25,10 +25,10 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct + # Neowave Keydo and Keydo AES + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660" + +-# HyperSecu HyperFIDO ++# HyperSecu HyperFIDO, KeyID U2F + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660" + +-# Feitian ePass FIDO, BioPass FIDO2 ++# Feitian ePass FIDO, BioPass FIDO2, KeyID U2F + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", TAG+="uaccess", GROUP="plugdev", MODE="0660" + + # JaCarta U2F +@@ -52,7 +52,23 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct + # Google Titan U2F + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660" + +-# Tomu board + chopstx U2F +-KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++# Tomu board + chopstx U2F + SoloKeys ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++ ++# SoloKeys ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++ ++# Trezor ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++ ++# Ledger Nano S and Nano X ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|0004", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++ ++# Kensington VeriMark ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="06cb", ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660" ++ ++# Longmai mFIDO ++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="4c4d", ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660" + + LABEL="u2f_end" diff -Nru libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch --- libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch 1970-01-01 01:00:00.000000000 +0100 +++ libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch 2019-08-28 22:23:32.000000000 +0200 @@ -0,0 +1,32 @@ +Subject: Initialize the respone buffer to 0 + +Some of the code paths check if *response == NULL and if we end up at +the end main without anything actually setting the response we might +be printing random stack memory. + +Found by static code checker: "line 135: Potentially uninitialized buffer 'response' used. Consider checking the first actual argument of the 'strlen' function." +--- + src/u2f-host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/u2f-host.c b/src/u2f-host.c +index d8abdb4..f440558 100644 +Origin: vendor +Bug: CVE-2019-9578 +Bug-Debian: 923874 +From: Gabriel Kihlman <g.kihl...@yubico.com> +Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org> +Last-Update: 2019-08-28 +Applied-Upstream: yes + +--- a/src/u2f-host.c ++++ b/src/u2f-host.c +@@ -33,7 +33,7 @@ main (int argc, char *argv[]) + struct gengetopt_args_info args_info; + char challenge[BUFSIZ]; + size_t chal_len; +- char response[2048]; ++ char response[2048] = {0}; + size_t response_len = sizeof (response); + u2fh_devs *devs = NULL; + u2fh_cmdflags flags = 0; diff -Nru libu2f-host-1.1.9/debian/patches/series libu2f-host-1.1.9/debian/patches/series --- libu2f-host-1.1.9/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libu2f-host-1.1.9/debian/patches/series 2019-08-28 22:23:32.000000000 +0200 @@ -0,0 +1,2 @@ +0001-Add-udev-rule-for-additional-devices.patch +0002-Initialize-the-respone-buffer-to-0.patch
signature.asc
Description: PGP signature