Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu Control: block 923874 by -1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear release team, I would like to backport the fix for CVE-2019-9578 in the next point release for stretch. Please find enclosed the proposed debdiff. Best, nicoo - -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl1m+nIRHG5pY29vQGRl Ymlhbi5vcmcACgkQ5vmO4pLV7Mt6SxAAr7eu5OYjhIpecngn+g35hCagOawJEUG7 T9iw/fussQ/g1Afxrvoi50Wl7tFBaHI0rLpMmvPb3ZihqW5jv0IJmBtLzgd5B/Bq SwN6uGhPyaden8Q79h/VI/Cuma/Tmv2B6Y5tGR0/sAsw0+raGWoAilt9oAdD7fbJ T6Eot0yS7dCLB6rnkzyckKaIiJkbxRSzJCKOxOFsaZFTb+cS8Nj90cqgp5koNzIi iGTuKoCmC1AN7XF68YDKU2/ZB3Lbp35TPVDGAB8g/qxs+Q4/vgHSLKugaKbqPaGG dnFvjtx/OWHR20Fbf06bN3NP8dKxwe42Pq4OLwtslyc9iS60dAj0HXS2tsDFDyHc pfIeQEbGFsgWlPz1ztCFzdo2kDH1rfxDJIRYozcL8vieiaUdDz4F1i1lmHA6DUqc x4evcQe7K+m2qFDJLOPcphQh0KzivoFn9ttxSEi3lGvImyES3IAuVkZbA8KIb3zR 66YSFG0yiiz8aZn5vajdGJ4ate2sHc+SrvGDCsOb6AbNywMz7pWvRwXGiIEXKEgG Qgbyobv8xOyE8F61E4HllvuAwmLxDdDSLbQnhckfygw6Wkaxe5yK+CaODEalnbzd X+ML4b7X8Hhi0iVlJb3YXfmyftww0RXVICFtNeftHCgizdHG6iJnC1+0uWI0iXvr OGExa2tojgI= =cc+K -----END PGP SIGNATURE-----
diff -Nru libu2f-host-1.1.2/debian/changelog libu2f-host-1.1.2/debian/changelog --- libu2f-host-1.1.2/debian/changelog 2019-02-08 21:42:16.000000000 +0100 +++ libu2f-host-1.1.2/debian/changelog 2019-08-28 23:52:13.000000000 +0200 @@ -1,3 +1,10 @@ +libu2f-host (1.1.2-2+deb9u2) stretch; urgency=medium + + * Backport fix for CVE-2019-9578 (Closes: #923874) + * Configure git-buildpackage for stretch + + -- Nicolas Braud-Santoni <ni...@debian.org> Wed, 28 Aug 2019 23:52:13 +0200 + libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high * Backport patch for CVE-2018-20340 (Closes: #921725) diff -Nru libu2f-host-1.1.2/debian/gbp.conf libu2f-host-1.1.2/debian/gbp.conf --- libu2f-host-1.1.2/debian/gbp.conf 2019-02-08 21:42:16.000000000 +0100 +++ libu2f-host-1.1.2/debian/gbp.conf 2019-08-28 23:52:13.000000000 +0200 @@ -1,3 +1,7 @@ [DEFAULT] +debian-branch = debian/stretch pristine-tar = True sign-tags = True + +[buildpackage] +dist = stretch diff -Nru libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch --- libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch 1970-01-01 01:00:00.000000000 +0100 +++ libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch 2019-08-28 23:52:13.000000000 +0200 @@ -0,0 +1,60 @@ +Subject: fix filling out of initresp + +--- + u2f-host/devs.c | 35 +++++++++++++++++++++++------------ + 1 file changed, 23 insertions(+), 12 deletions(-) + +diff --git a/u2f-host/devs.c b/u2f-host/devs.c +index 0c50882..dc2120b 100644 +Origin: vendor +Bug: CVE-2019-9578 +Bug-Debian: 923874 +From: Klas Lindfors <k...@yubico.com> +Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org> +Last-Update: 2019-08-28 +Applied-Upstream: yes + +--- a/u2f-host/devs.c ++++ b/u2f-host/devs.c +@@ -246,18 +246,29 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev) + (devs, dev->id, U2FHID_INIT, nonce, sizeof (nonce), resp, + &resplen) == U2FH_OK) + { +- U2FHID_INIT_RESP initresp; +- if (resplen > sizeof (initresp)) +- { +- return U2FH_MEMORY_ERROR; +- } +- +- memcpy (&initresp, resp, resplen); +- dev->cid = initresp.cid; +- dev->versionInterface = initresp.versionInterface; +- dev->versionMajor = initresp.versionMajor; +- dev->versionMinor = initresp.versionMinor; +- dev->capFlags = initresp.capFlags; ++ int offs = sizeof (nonce); ++ /* the response has to be atleast 17 bytes, if it's more we discard that */ ++ if (resplen < 17) ++ { ++ return U2FH_SIZE_ERROR; ++ } ++ ++ /* incoming and outgoing nonce has to match */ ++ if (memcmp (nonce, resp, sizeof (nonce)) != 0) ++ { ++ return U2FH_TRANSPORT_ERROR; ++ } ++ ++ dev->cid = ++ resp[offs] << 24 | resp[offs + 1] << 16 | resp[offs + ++ 2] << 8 | resp[offs + ++ 3]; ++ offs += 4; ++ dev->versionInterface = resp[offs++]; ++ dev->versionMajor = resp[offs++]; ++ dev->versionMinor = resp[offs++]; ++ dev->versionBuild = resp[offs++]; ++ dev->capFlags = resp[offs++]; + } + else + { diff -Nru libu2f-host-1.1.2/debian/patches/series libu2f-host-1.1.2/debian/patches/series --- libu2f-host-1.1.2/debian/patches/series 2019-02-08 21:42:16.000000000 +0100 +++ libu2f-host-1.1.2/debian/patches/series 2019-08-28 23:52:13.000000000 +0200 @@ -1 +1,2 @@ Fix-CVE-2018-20340.patch +Fix-CVE-2019-9578.patch