--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package yubikey-personalization/1.19.3-3
- From: Nicolas Braud-Santoni <nicoo@debian.org>
- Date: Sat, 20 Jul 2019 12:33:30 +0200
- Message-id: <156361881005.11708.1141307275626164392.reportbug@neon.citronna.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Control: block 931081 by -1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I prepared an update for buster, that:
1. fixes the stretch->buster upgrade bug (#931081) found by anbe@ ;
2. backports security fixes from upstream.
Regarding (2), upstream (Yubico) did not issue a security advisory, there is
no CVE or DSA assigned, and the issues aren't yet known to be exploitable;
as such, I believe this is suitable for -pu (as opposed to the security queue).
Please find the debdiff attached.
Best,
nicoo
- -- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0y7fQRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7MstVg//ddknDHdLMSHafKswkys01Yx0YeIHAYBk
N1p9hDRoqHrCexc3f4JDnWTGxte8u0XiqzkWvHQ/H2+ugw2fDSHhMrxQ2TNszyaX
Qvg1/iiPGrG1N/qnyvhfcORPfgG5zcqOluhpbCnnb9/dteOcPe9KufsCEIIm97Sz
82ge2+I86cmtCYN4LNxsfLsoSOBOfOPkXh+AaEGoZe3sBdlEzB2V9qHlk+yRqftj
A99gmdXcMo5Zd9imnSwEc1E7rEYnbydt0R1EllzE6N1EbZKTV0jgONJ3AittfF4N
SukcYbynyjztuJeLO58KAjuzx0A+y2+U0geDrG/kJCRmWvNb5SkUU4C4A1cYyn52
BjVeSE30avmYUTMHZj/F9c7jDltgieAKKi+BeRgV4Zv7QyanHvGUw6nlVE2X3POE
K9rvet1mMZStY/prqFzcZNNxcfGmZnTnbhebAFt84Jfzl3aKLr0dsrsSot8tJ17V
Rpzxcp+o85PvOt0GsjqRLql2L8sxUrWsvN+7Yr92DjscSTb8CEuNjvISASrYALIL
uNdIQhrzPMR5uACrSQ0TOAtPH05bAeYX4BMzEcaDd+XfXLRrbVGcJOk2uQ3jN+2w
VL0G4jjkJyMyDUJTp0HguWdpEcMNV72Xn4pqR0sSLl4WIMesbZB+74mkJY3DucoO
7DjFa7ALoME=
=5TeZ
-----END PGP SIGNATURE-----
diff -Nru yubikey-personalization-1.19.3/debian/changelog yubikey-personalization-1.19.3/debian/changelog
--- yubikey-personalization-1.19.3/debian/changelog 2019-04-06 21:34:23.000000000 +0200
+++ yubikey-personalization-1.19.3/debian/changelog 2019-07-20 11:43:51.000000000 +0200
@@ -1,3 +1,11 @@
+yubikey-personalization (1.19.3-3+deb10u1) buster-proposed-updates; urgency=medium
+
+ * Backport security improvements from v1.20.0
+ * debian/control: Add missing Break+Replaces on libyubikey-udev
+ Closes: #931081
+
+ -- Nicolas Braud-Santoni <nicoo@debian.org> Sat, 20 Jul 2019 11:43:51 +0200
+
yubikey-personalization (1.19.3-3) unstable; urgency=high (fixes RC bug)
[ Nicolas Braud-Santoni ]
diff -Nru yubikey-personalization-1.19.3/debian/control yubikey-personalization-1.19.3/debian/control
--- yubikey-personalization-1.19.3/debian/control 2019-04-06 21:34:23.000000000 +0200
+++ yubikey-personalization-1.19.3/debian/control 2019-07-20 11:43:51.000000000 +0200
@@ -63,6 +63,8 @@
Multi-Arch: foreign
Section: libs
Depends: ${misc:Depends}, udev
+Breaks: libykpers-1-1 (<< 1.19.3)
+Replaces: libykpers-1-1 (<< 1.19.3)
Description: udev rules for unprivileged access to YubiKeys
YubiKeys are USB tokens that act like keyboards and generate one-time
or static passwords.
diff -Nru yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch
--- yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch 1970-01-01 01:00:00.000000000 +0100
+++ yubikey-personalization-1.19.3/debian/patches/0001-Clear-potentially-sensitive-material-from-stack-allo.patch 2019-07-20 11:43:51.000000000 +0200
@@ -0,0 +1,33 @@
+Subject: Clear potentially sensitive material from stack allocated buffer
+
+---
+ ykpers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ykpers.c b/ykpers.c
+index 47722e0..7941d0e 100644
+From: Gabriel Kihlman <g.kihlman@yubico.com>
+Origin: commit:5b2973378aa20c20dadfd16f23df8e692e9edc95
+Applied-Upstream: 731d6b5cee16670e896ceddd8badb3704f1664da
+Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
+Last-Update: 2019-07-20
+
+--- a/ykpers.c
++++ b/ykpers.c
+@@ -32,6 +32,7 @@
+ #include "ykpbkdf2.h"
+ #include "yktsd.h"
+ #include "ykpers-json.h"
++#include "ykcore/ykbzero.h"
+
+ #include <ykpers.h>
+
+@@ -408,7 +409,7 @@ int ykp_AES_key_from_passphrase(YKP_CONFIG *cfg, const char *passphrase,
+ }
+ }
+
+- memset (buf, 0, sizeof(buf));
++ insecure_memzero (buf, sizeof(buf));
+ return rc;
+ }
+ return 0;
diff -Nru yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch
--- yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch 1970-01-01 01:00:00.000000000 +0100
+++ yubikey-personalization-1.19.3/debian/patches/0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch 2019-07-20 11:43:51.000000000 +0200
@@ -0,0 +1,39 @@
+Subject: Tighten the salt_len check to avoid a potential stack buf overwrite
+ further down.
+
+If salt_len was 256:
+
+ for (block_count = 1; block_count <= l; block_count++) {
+ unsigned char block[256]; /* A big chunk, that's 2048 bits */
+[ ... ]
+
+ memcpy(block, salt, salt_len);
+ block[salt_len + 0] = (block_count & 0xff000000) >> 24;
+ block[salt_len + 1] = (block_count & 0x00ff0000) >> 16;
+ block[salt_len + 2] = (block_count & 0x0000ff00) >> 8;
+ block[salt_len + 3] = (block_count & 0x000000ff) >> 0;
+
+ block[256] is outside the buffer and then the next lines would overwrite 3 more bytes
+---
+ ykpbkdf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ykpbkdf2.c b/ykpbkdf2.c
+index 8ca371c..76a58aa 100644
+From: Gabriel Kihlman <g.kihlman@yubico.com>
+Origin: commit:f0ae7670a4f5b04419a85855b9cb889d19826d46
+Applied-Upstream: ab1d270eb56674c7f08eacef88fca66d12a461f6
+Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
+Last-Update: 2019-07-20
+
+--- a/ykpbkdf2.c
++++ b/ykpbkdf2.c
+@@ -54,7 +54,7 @@ int yk_pbkdf2(const char *passphrase,
+ unsigned char *dk, size_t dklen,
+ YK_PRF_METHOD *prf_method)
+ {
+- if (salt_len > 256) {
++ if (salt_len > (255 - 4)) {
+ return 0;
+ }
+ size_t l = ((dklen - 1 + prf_method->output_size)
diff -Nru yubikey-personalization-1.19.3/debian/patches/series yubikey-personalization-1.19.3/debian/patches/series
--- yubikey-personalization-1.19.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ yubikey-personalization-1.19.3/debian/patches/series 2019-07-20 11:43:51.000000000 +0200
@@ -0,0 +1,2 @@
+0001-Clear-potentially-sensitive-material-from-stack-allo.patch
+0002-Tighten-the-salt_len-check-to-avoid-a-potential-stac.patch
--- End Message ---