Bug#936007: marked as done (stretch-pu: package libu2f-host/1.1.2-2+deb9u1)

To: Adrian Bunk <bunk@debian.org>
Subject: Bug#936007: marked as done (stretch-pu: package libu2f-host/1.1.2-2+deb9u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 12 Jan 2020 12:00:03 +0000
Message-id: <[🔎] handler.936007.D936007.157883025512572.ackdone@bugs.debian.org>
Reply-to: 936007@bugs.debian.org
References: <20200112115728.GD26925@localhost> <156702987695.24503.16806397952022451929.reportbug@neon.citronna.de>

Your message dated Sun, 12 Jan 2020 13:57:28 +0200
with message-id <20200112115728.GD26925@localhost>
and subject line libu2f-host 1.1.2-2+deb9u2 was included in Debian 9.10
has caused the Debian Bug report #936007,
regarding stretch-pu: package libu2f-host/1.1.2-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
936007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936007
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package libu2f-host/1.1.2-2+deb9u1
From: Nicolas Braud-Santoni <nicoo@debian.org>
Date: Thu, 29 Aug 2019 00:04:36 +0200
Message-id: <156702987695.24503.16806397952022451929.reportbug@neon.citronna.de>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Control: block 923874 by -1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

I would like to backport the fix for CVE-2019-9578 in the next point release
for stretch.  Please find enclosed the proposed debdiff.


Best,

  nicoo

- -- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl1m+nIRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7Mt6SxAAr7eu5OYjhIpecngn+g35hCagOawJEUG7
T9iw/fussQ/g1Afxrvoi50Wl7tFBaHI0rLpMmvPb3ZihqW5jv0IJmBtLzgd5B/Bq
SwN6uGhPyaden8Q79h/VI/Cuma/Tmv2B6Y5tGR0/sAsw0+raGWoAilt9oAdD7fbJ
T6Eot0yS7dCLB6rnkzyckKaIiJkbxRSzJCKOxOFsaZFTb+cS8Nj90cqgp5koNzIi
iGTuKoCmC1AN7XF68YDKU2/ZB3Lbp35TPVDGAB8g/qxs+Q4/vgHSLKugaKbqPaGG
dnFvjtx/OWHR20Fbf06bN3NP8dKxwe42Pq4OLwtslyc9iS60dAj0HXS2tsDFDyHc
pfIeQEbGFsgWlPz1ztCFzdo2kDH1rfxDJIRYozcL8vieiaUdDz4F1i1lmHA6DUqc
x4evcQe7K+m2qFDJLOPcphQh0KzivoFn9ttxSEi3lGvImyES3IAuVkZbA8KIb3zR
66YSFG0yiiz8aZn5vajdGJ4ate2sHc+SrvGDCsOb6AbNywMz7pWvRwXGiIEXKEgG
Qgbyobv8xOyE8F61E4HllvuAwmLxDdDSLbQnhckfygw6Wkaxe5yK+CaODEalnbzd
X+ML4b7X8Hhi0iVlJb3YXfmyftww0RXVICFtNeftHCgizdHG6iJnC1+0uWI0iXvr
OGExa2tojgI=
=cc+K
-----END PGP SIGNATURE-----

diff -Nru libu2f-host-1.1.2/debian/changelog libu2f-host-1.1.2/debian/changelog
--- libu2f-host-1.1.2/debian/changelog	2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/changelog	2019-08-28 23:52:13.000000000 +0200
@@ -1,3 +1,10 @@
+libu2f-host (1.1.2-2+deb9u2) stretch; urgency=medium
+
+  * Backport fix for CVE-2019-9578 (Closes: #923874)
+  * Configure git-buildpackage for stretch
+
+ -- Nicolas Braud-Santoni <nicoo@debian.org>  Wed, 28 Aug 2019 23:52:13 +0200
+
 libu2f-host (1.1.2-2+deb9u1) stretch-security; urgency=high
 
   * Backport patch for CVE-2018-20340 (Closes: #921725)
diff -Nru libu2f-host-1.1.2/debian/gbp.conf libu2f-host-1.1.2/debian/gbp.conf
--- libu2f-host-1.1.2/debian/gbp.conf	2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/gbp.conf	2019-08-28 23:52:13.000000000 +0200
@@ -1,3 +1,7 @@
 [DEFAULT]
+debian-branch = debian/stretch
 pristine-tar = True
 sign-tags = True
+
+[buildpackage]
+dist = stretch
diff -Nru libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch
--- libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch	1970-01-01 01:00:00.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/Fix-CVE-2019-9578.patch	2019-08-28 23:52:13.000000000 +0200
@@ -0,0 +1,60 @@
+Subject: fix filling out of initresp
+
+---
+ u2f-host/devs.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/u2f-host/devs.c b/u2f-host/devs.c
+index 0c50882..dc2120b 100644
+Origin: vendor
+Bug: CVE-2019-9578
+Bug-Debian: 923874
+From: Klas Lindfors <klas@yubico.com>
+Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
+Last-Update: 2019-08-28
+Applied-Upstream: yes
+
+--- a/u2f-host/devs.c
++++ b/u2f-host/devs.c
+@@ -246,18 +246,29 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
+       (devs, dev->id, U2FHID_INIT, nonce, sizeof (nonce), resp,
+        &resplen) == U2FH_OK)
+     {
+-      U2FHID_INIT_RESP initresp;
+-      if (resplen > sizeof (initresp))
+-        {
+-          return U2FH_MEMORY_ERROR;
+-        }
+-
+-      memcpy (&initresp, resp, resplen);
+-      dev->cid = initresp.cid;
+-      dev->versionInterface = initresp.versionInterface;
+-      dev->versionMajor = initresp.versionMajor;
+-      dev->versionMinor = initresp.versionMinor;
+-      dev->capFlags = initresp.capFlags;
++      int offs = sizeof (nonce);
++      /* the response has to be atleast 17 bytes, if it's more we discard that */
++      if (resplen < 17)
++	{
++	  return U2FH_SIZE_ERROR;
++	}
++
++      /* incoming and outgoing nonce has to match */
++      if (memcmp (nonce, resp, sizeof (nonce)) != 0)
++	{
++	  return U2FH_TRANSPORT_ERROR;
++	}
++
++      dev->cid =
++	resp[offs] << 24 | resp[offs + 1] << 16 | resp[offs +
++						       2] << 8 | resp[offs +
++								      3];
++      offs += 4;
++      dev->versionInterface = resp[offs++];
++      dev->versionMajor = resp[offs++];
++      dev->versionMinor = resp[offs++];
++      dev->versionBuild = resp[offs++];
++      dev->capFlags = resp[offs++];
+     }
+   else
+     {
diff -Nru libu2f-host-1.1.2/debian/patches/series libu2f-host-1.1.2/debian/patches/series
--- libu2f-host-1.1.2/debian/patches/series	2019-02-08 21:42:16.000000000 +0100
+++ libu2f-host-1.1.2/debian/patches/series	2019-08-28 23:52:13.000000000 +0200
@@ -1 +1,2 @@
 Fix-CVE-2018-20340.patch
+Fix-CVE-2019-9578.patch

--- End Message ---

--- Begin Message ---

To: 936007-done@bugs.debian.org

Subject: libu2f-host 1.1.2-2+deb9u2 was included in Debian 9.10

From: Adrian Bunk <bunk@debian.org>

Date: Sun, 12 Jan 2020 13:57:28 +0200

Message-id: <20200112115728.GD26925@localhost>
Closing the bug might have been missed due to an incorrect version 
number in the bug title.

cu
Adrian
--- End Message ---

Reply to:

Prev by Date: Bug#898826: Re: stretch-pu: package profphd in strech unusable
Next by Date: Processed: retitle 948219 to stretch-pu: package ros-ros-comm/1.12.6-2+deb9u2
Previous by thread: Bug#898826: Re: stretch-pu: package profphd in strech unusable
Next by thread: Processed: retitle 948219 to stretch-pu: package ros-ros-comm/1.12.6-2+deb9u2
Index(es):
- Date
- Thread