Bug#926551: marked as done (libykpiv1: Security issues in versions prior to 1.7.0)

[Debian Bug Tracking System]

Your message dated Sat, 13 Jul 2019 12:20:04 +0000
with message-id <e1hmh0w-000hqq...@fasolo.debian.org>
and subject line Bug#926551: fixed in yubico-piv-tool 1.7.0-1
has caused the Debian Bug report #926551,
regarding libykpiv1: Security issues in versions prior to 1.7.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
926551: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926551
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libykpiv1
Version: 1.6.2-1
Severity: serious
Tags: security buster sid upstream fixed-upstream pending
Justification: Security issue

Hi,

Yubico released a new version of libykpiv, mentionning “security fixes” in
the NEWS file, but without publishing a new security advisory.

I believe this refers to the following issues (quoting changelog entries):

* Memory unsafety:
        * lib/internal.h, lib/ykpiv.c: lib: tlv length buffer checks
        * lib/internal.h, lib/util.c: lib: correct overflow checks in 
_write_certificate
        * lib/util.c, lib/ykpiv.c: lib: resolves potential reads of
        uninitialized data

* Correctly erasing secrets from memory after use:
  * lib/util.c: lib: clear secrets in set_protected_mgm
        * lib/ykpiv.c: lib: clear secrets in ykpiv_import_private_key
        * lib/ykpiv.c: lib: clear secrets in auth api
        * lib/internal.c, lib/ykpiv.c: lib: clear buffers containing key
          material
        * lib/internal.h, lib/util.c: lib: use secure zero memory platform
        functions

* lib/ykpiv.c: lib: check internal authentication crypt errors


Given the absence of an advisory, I assume those issues are not known to be
exploitable.  However, I believe it would be worth fixing them before the
release of Buster.

Please let me know if a fix should be backported to stretch.


Best,

  nicoo


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libykpiv1 depends on:
ii  libc6         2.28-8
ii  libpcsclite1  1.8.24-1
ii  libssl1.1     1.1.1b-1

Versions of packages libykpiv1 recommends:
ii  pcscd  1.8.24-1

libykpiv1 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: yubico-piv-tool
Source-Version: 1.7.0-1

We believe that the bug you reported is fixed in the latest version of
yubico-piv-tool, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 926...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas Braud-Santoni <ni...@debian.org> (supplier of updated yubico-piv-tool 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 06 Apr 2019 22:35:22 +0200
Source: yubico-piv-tool
Architecture: source
Version: 1.7.0-1
Distribution: unstable
Urgency: high
Maintainer: Debian Authentication Maintainers 
<pkg-auth-maintain...@lists.alioth.debian.org>
Changed-By: Nicolas Braud-Santoni <ni...@debian.org>
Closes: 926551
Changes:
 yubico-piv-tool (1.7.0-1) unstable; urgency=high (security fixes)
 .
   [ Nicolas Braud-Santoni ]
   * New upstream version 1.7.0
     + Security fixes. (Closes: #926551)
     + ykcs11: Fix ECDSA signatures.
     + Documentation fixes.
     + libykpiv1: Update symbols file, add Build-Depends-Package metadata
 .
   * debian/upstream: Update keyring and its generation script
 .
   * debian/control
     + Update Uploader's email address
     + Bump Standards-Version to 4.3.0
       No change required.
 .
   * Switch to debhelper 12
   * debian/rules
     + Avoid unnecessary override_dh_install
     + Don't set rpath at build-time, rather than overriding
     + Replace `dh_install --fail-missing` with `dh_missing`
 .
   * ykcs11: Add Lintian overrides for PKCS#11 quirks
   * libykpiv-dev: Do not ship pkgconfig metadata for ykcs11
     + YKCS11 is a PKCS#11 provider
     + This would be the wrong package for it anyhow.
 .
   [ Simon Josefsson ]
   * Drop myself from Uploaders.
Checksums-Sha1:
 561e0887199cab9ed7a0ec562f42393ef51b2e75 2344 yubico-piv-tool_1.7.0-1.dsc
 a53f336b8a14d6e7a6b0f96d69957bf1eeac3286 588206 
yubico-piv-tool_1.7.0.orig.tar.gz
 c1e23971e704e7b2b605022cca691e7aa44c57fc 49152 
yubico-piv-tool_1.7.0-1.debian.tar.xz
 5dd929e078f2e69bff6cc0265f9dda93665a63e0 7461 
yubico-piv-tool_1.7.0-1_amd64.buildinfo
Checksums-Sha256:
 2115fbd1b4d18ec65392d9927f64a8d72bb6bffc8ff0d07263d535544bbe8b97 2344 
yubico-piv-tool_1.7.0-1.dsc
 b428527e4031453a637128077983e782e9fea25df98e95e0fc27819b2e82fd7f 588206 
yubico-piv-tool_1.7.0.orig.tar.gz
 43a3c1c0c5340ead1f6797162817fd5aa4daea1d45e644ce3af2ef19c0686d57 49152 
yubico-piv-tool_1.7.0-1.debian.tar.xz
 152d3ef9aa0b4e4f821946d115119876a1aa169bc21bc8812db76237597b2399 7461 
yubico-piv-tool_1.7.0-1_amd64.buildinfo
Files:
 96225c0c0cf1fc6fd726edcdb87b7c60 2344 utils optional 
yubico-piv-tool_1.7.0-1.dsc
 e0f0fd0e1933e663c6c0efedf348cdd1 588206 utils optional 
yubico-piv-tool_1.7.0.orig.tar.gz
 a259a45d5c5efd42f40cff1e37824693 49152 utils optional 
yubico-piv-tool_1.7.0-1.debian.tar.xz
 085e54773f84ec852064db7397646c43 7461 utils optional 
yubico-piv-tool_1.7.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0pyUMACgkQ5vmO4pLV
7Ms2hQ//ZhWPAVsCFgZmzg7vMKZZZYC8TMIPysW0vwzcYPHHyRQKctB2znVPffG1
fywqDBeGbzXqtydkHIuruo6IF8QLSNNh/aYT0EOvMY50C8dr1gg55DZSWN58xUQO
BcDSuy0VtqPOwSJ1MuTOAf1nJfayF/SzkyMcjrnkXpdKEgqv1nrymgtKefNc0cMF
+jY1Df2/KHplMwRVB1+ZcR08Kzp4yrQOeGyqWKoLMzUmro4JxSPacwn7+mBZ0y6U
SlDxbjZ76Bik9JiAWzWeSsNIb/qC+GTq9MlTXYjzIUwXBhAxwOlHQDUW/gdXkgo+
g2+/dHnpyxIgAdNm6AxDFmE1a7UNxEp2rRwDFpERMzja+ucklBbHBvnpUQcTntmL
p24DWm0kAxv5N5S/Vvql8tDG4EOig9rEspwL+I4hpw6v1y4WpwK9JZIIHQTHWXiO
r6pUnJIHZuC8CUdldnKse5Wk7EIZDv09cei+yIJLhlt1EtYgk7bOFnqK7/AMBrCO
FMe8t7o7ozDZw6NKpLRaYRlj5QFrM94csE5MXqp0vRyJftGe4tymxNcnn5RqqEe/
Ev3RA8xNOVZ/kYFLSlBEEqFRXu76bk9zmuufdwR/nhodjEDmKZ6LMG+iz8vEx71F
Wei2n8aaR0HOn4NE5pFxE/Uoo+ItOrS5EufpE8hl78BSoyp3QlE=
=qnwR
-----END PGP SIGNATURE-----

--- End Message ---