Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1

To: 935999@bugs.debian.org
Subject: Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1
From: Nicolas Braud-Santoni <nicoo@debian.org>
Date: Wed, 28 Aug 2019 22:52:08 +0200
Message-id: <[🔎] 20190828205208.oc45uou2ysqixrer@bogus>
Reply-to: Nicolas Braud-Santoni <nicoo@debian.org>, 935999@bugs.debian.org
In-reply-to: <[🔎] 156702414285.7873.5307188005250369108.reportbug@neon.citronna.de>
References: <[🔎] 156702414285.7873.5307188005250369108.reportbug@neon.citronna.de> <[🔎] 156702414285.7873.5307188005250369108.reportbug@neon.citronna.de>

On Wed, Aug 28, 2019 at 10:29:02PM +0200, Nicolas Braud-Santoni wrote:
> I would like to backport the following patches for libu2f-host to stretch:
> 
>   + Fix for CVE-2019-9578 (Closes: #923874)

I was confused, this is a minor security issue for which no CVE was assigned.
(CVE-2019-9578 / #923874 impacts stretch, and should be addressed in stretch-pu)

An updated debdiff is attached.

Best,

  nicoo

diff -Nru libu2f-host-1.1.9/debian/changelog libu2f-host-1.1.9/debian/changelog
--- libu2f-host-1.1.9/debian/changelog	2019-03-08 11:59:52.000000000 +0100
+++ libu2f-host-1.1.9/debian/changelog	2019-08-28 22:23:32.000000000 +0200
@@ -1,3 +1,19 @@
+libu2f-host (1.1.9-1+deb10u1) buster; urgency=medium
+
+  * Backport patches from upstream
+    + Fix for a minor security issue (uninitialized buffer access)
+    + Support for new hardware devices
+      - Kensington Verimark
+      - KeyID U2F
+      - Ledger Nano S and X
+      - Longmai mFIDO
+      - SoloKeys (Closes: #925274)
+      - Trezor
+
+  * Configure git-buildpackage for buster
+
+ -- Nicolas Braud-Santoni <nicoo@debian.org>  Wed, 28 Aug 2019 22:23:32 +0200
+
 libu2f-host (1.1.9-1) unstable; urgency=high (security fix)
 
   * New upstream version 1.1.9
diff -Nru libu2f-host-1.1.9/debian/gbp.conf libu2f-host-1.1.9/debian/gbp.conf
--- libu2f-host-1.1.9/debian/gbp.conf	2019-03-08 11:59:52.000000000 +0100
+++ libu2f-host-1.1.9/debian/gbp.conf	2019-08-28 22:23:32.000000000 +0200
@@ -1,3 +1,7 @@
 [DEFAULT]
+debian-branch = debian/buster
 pristine-tar = True
 sign-tags = True
+
+[buildpackage]
+dist = buster
diff -Nru libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch
--- libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.9/debian/patches/0001-Add-udev-rule-for-additional-devices.patch	2019-08-28 22:23:32.000000000 +0200
@@ -0,0 +1,62 @@
+Subject: Add udev rule for additional devices
+
++ Ledger Nano S and X
++ Kensington Verimark
++ Longmai mFIDO
++ KeyID U2F
++ SoloKeys
++ Trezor
+---
+ 70-u2f.rules | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/70-u2f.rules b/70-u2f.rules
+index 682e45f..8ab5bcf 100644
+Origin: vendor
+Bug-Debian: 925274
+From: Nicolas Stalder <n@stalder.io>
+Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/70-u2f.rules
++++ b/70-u2f.rules
+@@ -25,10 +25,10 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct
+ # Neowave Keydo and Keydo AES
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+-# HyperSecu HyperFIDO
++# HyperSecu HyperFIDO, KeyID U2F
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+-# Feitian ePass FIDO, BioPass FIDO2
++# Feitian ePass FIDO, BioPass FIDO2, KeyID U2F
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+ # JaCarta U2F
+@@ -52,7 +52,23 @@ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct
+ # Google Titan U2F
+ KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+-# Tomu board + chopstx U2F
+-KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++# Tomu board + chopstx U2F + SoloKeys
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# SoloKeys
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Trezor
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Ledger Nano S and Nano X
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|0004", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Kensington VeriMark
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="06cb", ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660"
++
++# Longmai mFIDO
++KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="4c4d", ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660"
+ 
+ LABEL="u2f_end"
diff -Nru libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch
--- libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.9/debian/patches/0002-Initialize-the-respone-buffer-to-0.patch	2019-08-28 22:23:32.000000000 +0200
@@ -0,0 +1,32 @@
+Subject: Initialize the respone buffer to 0
+
+Some of the code paths check if *response == NULL and if we end up at
+the end main without anything actually setting the response we might
+be printing random stack memory.
+
+Found by static code checker: "line 135: Potentially uninitialized buffer 'response' used. Consider checking the first actual argument of the 'strlen' function."
+---
+ src/u2f-host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/u2f-host.c b/src/u2f-host.c
+index d8abdb4..f440558 100644
+Origin: vendor
+Bug: CVE-2019-9578
+Bug-Debian: 923874
+From: Gabriel Kihlman <g.kihlman@yubico.com>
+Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/src/u2f-host.c
++++ b/src/u2f-host.c
+@@ -33,7 +33,7 @@ main (int argc, char *argv[])
+   struct gengetopt_args_info args_info;
+   char challenge[BUFSIZ];
+   size_t chal_len;
+-  char response[2048];
++  char response[2048] = {0};
+   size_t response_len = sizeof (response);
+   u2fh_devs *devs = NULL;
+   u2fh_cmdflags flags = 0;
diff -Nru libu2f-host-1.1.9/debian/patches/series libu2f-host-1.1.9/debian/patches/series
--- libu2f-host-1.1.9/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.9/debian/patches/series	2019-08-28 22:23:32.000000000 +0200
@@ -0,0 +1,2 @@
+0001-Add-udev-rule-for-additional-devices.patch
+0002-Initialize-the-respone-buffer-to-0.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1
  - From: Nicolas Braud-Santoni <nicoo@debian.org>

Prev by Date: Processed (with 2 errors): buster-pu: package libu2f-host/1.1.9-1+deb10u1
Next by Date: Bug#935588: nmu: rdepends of libbabeltrace1/buster
Previous by thread: Processed (with 2 errors): buster-pu: package libu2f-host/1.1.9-1+deb10u1
Next by thread: Bug#935999: buster-pu: package libu2f-host/1.1.9-1+deb10u1
Index(es):
- Date
- Thread