Your message dated Sun, 12 Jan 2020 13:57:28 +0200
with message-id <20200112115728.GD26925@localhost>
and subject line libu2f-host 1.1.2-2+deb9u2 was included in Debian 9.10
has caused the Debian Bug report #936007,
regarding stretch-pu: package libu2f-host/1.1.2-2+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
936007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936007
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Control: block 923874 by -1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
I would like to backport the fix for CVE-2019-9578 in the next point release
for stretch. Please find enclosed the proposed debdiff.
Best,
nicoo
- -- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl1m+nIRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7Mt6SxAAr7eu5OYjhIpecngn+g35hCagOawJEUG7
T9iw/fussQ/g1Afxrvoi50Wl7tFBaHI0rLpMmvPb3ZihqW5jv0IJmBtLzgd5B/Bq
SwN6uGhPyaden8Q79h/VI/Cuma/Tmv2B6Y5tGR0/sAsw0+raGWoAilt9oAdD7fbJ
T6Eot0yS7dCLB6rnkzyckKaIiJkbxRSzJCKOxOFsaZFTb+cS8Nj90cqgp5koNzIi
iGTuKoCmC1AN7XF68YDKU2/ZB3Lbp35TPVDGAB8g/qxs+Q4/vgHSLKugaKbqPaGG
dnFvjtx/OWHR20Fbf06bN3NP8dKxwe42Pq4OLwtslyc9iS60dAj0HXS2tsDFDyHc
pfIeQEbGFsgWlPz1ztCFzdo2kDH1rfxDJIRYozcL8vieiaUdDz4F1i1lmHA6DUqc
x4evcQe7K+m2qFDJLOPcphQh0KzivoFn9ttxSEi3lGvImyES3IAuVkZbA8KIb3zR
66YSFG0yiiz8aZn5vajdGJ4ate2sHc+SrvGDCsOb6AbNywMz7pWvRwXGiIEXKEgG
Qgbyobv8xOyE8F61E4HllvuAwmLxDdDSLbQnhckfygw6Wkaxe5yK+CaODEalnbzd
X+ML4b7X8Hhi0iVlJb3YXfmyftww0RXVICFtNeftHCgizdHG6iJnC1+0uWI0iXvr
OGExa2tojgI=
=cc+K
-----END PGP SIGNATURE-----
diff -Nru libu2f-host-1.1.2/debian/changelog libu2f-host-1.1.2/debian/changelog
--- libu2f-host-1.1.2/debian/changelog 2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/changelog 2019-08-28 23:52:13.000000000 +0200
@@ -1,3 +1,10 @@
+libu2f-host (1.1.2-2+deb9u2) stretch; urgency=medium
+
+ * Backport fix for CVE-2019-9578 (Closes: #923874)
+ * Configure git-buildpackage for stretch
+
+ -- Nicolas Braud-Santoni <ni...@debian.org> Wed, 28 Aug 2019 23:52:13 +0200
+
libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high
* Backport patch for CVE-2018-20340 (Closes: #921725)
diff -Nru libu2f-host-1.1.2/debian/gbp.conf libu2f-host-1.1.2/debian/gbp.conf
--- libu2f-host-1.1.2/debian/gbp.conf 2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/gbp.conf 2019-08-28 23:52:13.000000000 +0200
@@ -1,3 +1,7 @@
[DEFAULT]
+debian-branch = debian/stretch
pristine-tar = True
sign-tags = True
+
+[buildpackage]
+dist = stretch
diff -Nru libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch
libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch
--- libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch 1970-01-01
01:00:00.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch 2019-08-28
23:52:13.000000000 +0200
@@ -0,0 +1,60 @@
+Subject: fix filling out of initresp
+
+---
+ u2f-host/devs.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/u2f-host/devs.c b/u2f-host/devs.c
+index 0c50882..dc2120b 100644
+Origin: vendor
+Bug: CVE-2019-9578
+Bug-Debian: 923874
+From: Klas Lindfors <k...@yubico.com>
+Reviewed-by: Nicolas Braud-Santoni <ni...@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/u2f-host/devs.c
++++ b/u2f-host/devs.c
+@@ -246,18 +246,29 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
+ (devs, dev->id, U2FHID_INIT, nonce, sizeof (nonce), resp,
+ &resplen) == U2FH_OK)
+ {
+- U2FHID_INIT_RESP initresp;
+- if (resplen > sizeof (initresp))
+- {
+- return U2FH_MEMORY_ERROR;
+- }
+-
+- memcpy (&initresp, resp, resplen);
+- dev->cid = initresp.cid;
+- dev->versionInterface = initresp.versionInterface;
+- dev->versionMajor = initresp.versionMajor;
+- dev->versionMinor = initresp.versionMinor;
+- dev->capFlags = initresp.capFlags;
++ int offs = sizeof (nonce);
++ /* the response has to be atleast 17 bytes, if it's more we discard
that */
++ if (resplen < 17)
++ {
++ return U2FH_SIZE_ERROR;
++ }
++
++ /* incoming and outgoing nonce has to match */
++ if (memcmp (nonce, resp, sizeof (nonce)) != 0)
++ {
++ return U2FH_TRANSPORT_ERROR;
++ }
++
++ dev->cid =
++ resp[offs] << 24 | resp[offs + 1] << 16 | resp[offs +
++ 2] << 8 | resp[offs +
++ 3];
++ offs += 4;
++ dev->versionInterface = resp[offs++];
++ dev->versionMajor = resp[offs++];
++ dev->versionMinor = resp[offs++];
++ dev->versionBuild = resp[offs++];
++ dev->capFlags = resp[offs++];
+ }
+ else
+ {
diff -Nru libu2f-host-1.1.2/debian/patches/series
libu2f-host-1.1.2/debian/patches/series
--- libu2f-host-1.1.2/debian/patches/series 2019-02-08 21:42:16.000000000
+0100
+++ libu2f-host-1.1.2/debian/patches/series 2019-08-28 23:52:13.000000000
+0200
@@ -1 +1,2 @@
Fix-CVE-2018-20340.patch
+Fix-CVE-2019-9578.patch
--- End Message ---
--- Begin Message ---
Closing the bug might have been missed due to an incorrect version
number in the bug title.
cu
Adrian
--- End Message ---
