Bug#936007: stretch-pu: package libu2f-host/1.1.2-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Control: block 923874 by -1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
I would like to backport the fix for CVE-2019-9578 in the next point release
for stretch.  Please find enclosed the proposed debdiff.
Best,
  nicoo
- -- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl1m+nIRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7Mt6SxAAr7eu5OYjhIpecngn+g35hCagOawJEUG7
T9iw/fussQ/g1Afxrvoi50Wl7tFBaHI0rLpMmvPb3ZihqW5jv0IJmBtLzgd5B/Bq
SwN6uGhPyaden8Q79h/VI/Cuma/Tmv2B6Y5tGR0/sAsw0+raGWoAilt9oAdD7fbJ
T6Eot0yS7dCLB6rnkzyckKaIiJkbxRSzJCKOxOFsaZFTb+cS8Nj90cqgp5koNzIi
iGTuKoCmC1AN7XF68YDKU2/ZB3Lbp35TPVDGAB8g/qxs+Q4/vgHSLKugaKbqPaGG
dnFvjtx/OWHR20Fbf06bN3NP8dKxwe42Pq4OLwtslyc9iS60dAj0HXS2tsDFDyHc
pfIeQEbGFsgWlPz1ztCFzdo2kDH1rfxDJIRYozcL8vieiaUdDz4F1i1lmHA6DUqc
x4evcQe7K+m2qFDJLOPcphQh0KzivoFn9ttxSEi3lGvImyES3IAuVkZbA8KIb3zR
66YSFG0yiiz8aZn5vajdGJ4ate2sHc+SrvGDCsOb6AbNywMz7pWvRwXGiIEXKEgG
Qgbyobv8xOyE8F61E4HllvuAwmLxDdDSLbQnhckfygw6Wkaxe5yK+CaODEalnbzd
X+ML4b7X8Hhi0iVlJb3YXfmyftww0RXVICFtNeftHCgizdHG6iJnC1+0uWI0iXvr
OGExa2tojgI=
=cc+K
-----END PGP SIGNATURE-----
diff -Nru libu2f-host-1.1.2/debian/changelog libu2f-host-1.1.2/debian/changelog
--- libu2f-host-1.1.2/debian/changelog	2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/changelog	2019-08-28 23:52:13.000000000 +0200
@@ -1,3 +1,10 @@
+libu2f-host (1.1.2-2+deb9u2) stretch; urgency=medium
+
+  * Backport fix for CVE-2019-9578 (Closes: #923874)
+  * Configure git-buildpackage for stretch
+
+ -- Nicolas Braud-Santoni <nicoo@debian.org>  Wed, 28 Aug 2019 23:52:13 +0200
+
 libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high
 
   * Backport patch for CVE-2018-20340 (Closes: #921725)
diff -Nru libu2f-host-1.1.2/debian/gbp.conf libu2f-host-1.1.2/debian/gbp.conf
--- libu2f-host-1.1.2/debian/gbp.conf	2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/gbp.conf	2019-08-28 23:52:13.000000000 +0200
@@ -1,3 +1,7 @@
 [DEFAULT]
+debian-branch = debian/stretch
 pristine-tar = True
 sign-tags = True
+
+[buildpackage]
+dist = stretch
diff -Nru libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch
--- libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch	2019-08-28 23:52:13.000000000 +0200
@@ -0,0 +1,60 @@
+Subject: fix filling out of initresp
+
+---
+ u2f-host/devs.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/u2f-host/devs.c b/u2f-host/devs.c
+index 0c50882..dc2120b 100644
+Origin: vendor
+Bug: CVE-2019-9578
+Bug-Debian: 923874
+From: Klas Lindfors <klas@yubico.com>
+Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/u2f-host/devs.c
++++ b/u2f-host/devs.c
+@@ -246,18 +246,29 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
+       (devs, dev->id, U2FHID_INIT, nonce, sizeof (nonce), resp,
+        &resplen) == U2FH_OK)
+     {
+-      U2FHID_INIT_RESP initresp;
+-      if (resplen > sizeof (initresp))
+-        {
+-          return U2FH_MEMORY_ERROR;
+-        }
+-
+-      memcpy (&initresp, resp, resplen);
+-      dev->cid = initresp.cid;
+-      dev->versionInterface = initresp.versionInterface;
+-      dev->versionMajor = initresp.versionMajor;
+-      dev->versionMinor = initresp.versionMinor;
+-      dev->capFlags = initresp.capFlags;
++      int offs = sizeof (nonce);
++      /* the response has to be atleast 17 bytes, if it's more we discard that */
++      if (resplen < 17)
++	{
++	  return U2FH_SIZE_ERROR;
++	}
++
++      /* incoming and outgoing nonce has to match */
++      if (memcmp (nonce, resp, sizeof (nonce)) != 0)
++	{
++	  return U2FH_TRANSPORT_ERROR;
++	}
++
++      dev->cid =
++	resp[offs] << 24 | resp[offs + 1] << 16 | resp[offs +
++						       2] << 8 | resp[offs +
++								      3];
++      offs += 4;
++      dev->versionInterface = resp[offs++];
++      dev->versionMajor = resp[offs++];
++      dev->versionMinor = resp[offs++];
++      dev->versionBuild = resp[offs++];
++      dev->capFlags = resp[offs++];
+     }
+   else
+     {
diff -Nru libu2f-host-1.1.2/debian/patches/series libu2f-host-1.1.2/debian/patches/series
--- libu2f-host-1.1.2/debian/patches/series	2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/series	2019-08-28 23:52:13.000000000 +0200
@@ -1 +1,2 @@
 Fix-CVE-2018-20340.patch
+Fix-CVE-2019-9578.patch
Reply to: