Much appreciated Thanks,
Manbeer Singh Bhander Security Technical Program Manager | Yubico <http://www.yubico.com/> On Fri, Feb 8, 2019 at 2:10 PM Steve Beattie <[email protected]> wrote: > Making public now that the CRD has passed. > > Upstream commit is https://github.com/Yubico/libu2f- > host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27 . > > Thanks! > > ** Information type changed from Private Security to Public Security > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1814153 > > Title: > Upcoming Security Release of a Yubico Library (Moderate severity, CVSS > 6.3) - Unchecked Buffer libu2f-host > > Status in libu2f-host package in Ubuntu: > Triaged > > Bug description: > An external security researcher has found an issue on one of our open > source libraries (libu2f-host) and we are planning on releasing a new > version of the library and then also push the fix to github > (https://github.com/Yubico/libu2f-host). > > We have agreed on this being of Moderate severity with a CVSS score of > 6.3. We have also acquired a CVE number for it (CVE-2018-20340, not > yet public). Please note that the CVSS score of 6.3 could be > considered too low. Depending on how you interpret it could also be > 7.0 (https://nvd.nist.gov/vuln- > metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). > > This bug is under embargo and the disclosure date & time are set for > 8th of February, 12.00 CET, so we would be grateful if you could > withhold any information or patches until then. > > Below is text from our not yet published advisory. I have left out the > parts that are not particular to Linux. > > I have attached a patch that applies cleanly to 1.1.4 (Bionic) and > 1.1.6 (Cosmic). > > Please let us know if you any questions or require anything else from > us. > > Thanks, > > Manbeer Singh Bhander on behalf of [email protected] > > --- > Security Advisory 2019-02-08 - Unchecked Buffer in libu2f-host > ============================================================== > Tracking IDs: YSA-2019-01, CVE-2018-20340 > > Summary > ------- > Yubico library libu2f-host prior to version 1.1.7 contains an unchecked > buffer, which could allow a buffer overflow. Libu2f-host is a library that > implements the host party of the U2F protocol. This issue can allow an > attacker with a custom made malicious USB device masquerading as a security > key, and physical access to a computer where PAM U2F or an application with > libu2f-host integrated, to potentially execute arbitrary code on that > computer. Users of the YubiKey PAM U2F Tool are the most impacted since the > arbitrary code could execute with elevated privileges. It is not possible > to perform this attack with genuine YubiKey devices and users utilizing a > browser implementation of U2F are not affected by this issue. > > User Actions > ------------ > The affected library is included in a variety of applications. We > recommend updating all affected software listed below. > > Affected Yubico Software: > o YubiKey NEO Manager > Use YubiKey Manager in place of YubiKey NEO Manager. > o PAM U2F tool > Update the libu2f-host library that libpam-u2f depends on. > > How to Tell if You’re Affected - Non-Yubico Software > ---------------------------------------------------- > Libu2f-host is an open source implementation of U2F that is made > available for solution providers to incorporate for U2F in their products. > Software that uses libu2f-host prior to version 1.1.7 could be affected by > this issue. Yubico recommends that developers who use libu2f-host in their > products update to the latest version of libu2f-host. Libu2f-host version > 1.1.7 or above addresses the issue. > > In order to determine if a U2F application is using a vulnerable > version of libu2f-host, users of U2F enabled software applications may > execute the platform specific instructions below. > > Because these methods can have varying degrees of accuracy depending > on the design of the application, Yubico encourages users to contact > U2F application providers directly to find out if the application is > impacted, and if so, whether an update is available. > > To see if libu2f-host is installed in the library path use the ldconfig > command: > $ /sbin/ldconfig -p|grep libu2f-host > libu2f-host.so.0 (libc6,x86-64) => > /usr/local/lib/libu2f-host.so.0 > libu2f-host.so (libc6,x86-64) => /usr/local/lib/libu2f-host.so > To see if a certain application is linked with the library use ldd > command: > $ ldd your-u2f-application|grep libu2f-host > libu2f-host.so.0 => /usr/local/lib/libu2f-host.so.0 > > Downloads > --------- > The latest release, 1.1.7, of libu2f-host can be found here under > “releases”: https://developers.yubico.com/libu2f-host/ > > Aggregate Severity Rating > ------------------------- > Yubico has rated this issue as Moderate based on maximum security > impact. The base CVSS score is 6.3( > https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H > ). > > Acknowledgments > --------------- > On December 18, 2018, Christian Reitter notified Yubico of a security > issue. We thank Christian Reitter for reporting this issue and working with > us under coordinated vulnerability disclosure. > > ============================================================================= > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/libu2f-host/+bug/1814153/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814153 Title: Upcoming Security Release of a Yubico Library (Moderate severity, CVSS 6.3) - Unchecked Buffer libu2f-host To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libu2f-host/+bug/1814153/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
