Security update for libu2f-host SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0799-1 Final 1 1 2021-05-28T16:05:18Z current 2021-05-28T16:05:18Z 2021-05-28T16:05:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libu2f-host This update for libu2f-host fixes the following issues: This update ships the u2f-host package (jsc#ECO-3687 bsc#1184648) Version 1.1.10 (released 2019-05-15) - Add new devices to udev rules. - Fix a potentially uninitialized buffer (CVE-2019-9578, bsc#1128140) Version 1.1.9 (released 2019-03-06) - Fix CID copying from the init response, which broke compatibility with some devices. Version 1.1.8 (released 2019-03-05) - Add udev rules - Drop 70-old-u2f.rules and use 70-u2f.rules for everything - Use a random nonce for setting up CID to prevent fingerprinting - CVE-2019-9578: Parse the response to init in a more stable way to prevent leakage of uninitialized stack memory back to the device (bsc#1128140). Version 1.1.7 (released 2019-01-08) - Fix for trusting length from device in device init. - Fix for buffer overflow when receiving data from device. (YSA-2019-01, CVE-2018-20340, bsc#1124781) - Add udev rules for some new devices. - Add udev rule for Feitian ePass FIDO - Add a timeout to the register and authenticate actions. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-799 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QRDOETNQVM5LVLJRZMNGQEBNRFW4ZWEV/ E-Mail link for openSUSE-SU-2021:0799-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1124781 SUSE Bug 1124781 https://bugzilla.suse.com/1128140 SUSE Bug 1128140 https://bugzilla.suse.com/1184648 SUSE Bug 1184648 https://www.suse.com/security/cve/CVE-2018-20340/ SUSE CVE CVE-2018-20340 page https://www.suse.com/security/cve/CVE-2019-9578/ SUSE CVE CVE-2019-9578 page openSUSE Leap 15.2 libu2f-host-devel-1.1.10-lp152.4.3.1 libu2f-host-doc-1.1.10-lp152.4.3.1 libu2f-host0-1.1.10-lp152.4.3.1 u2f-host-1.1.10-lp152.4.3.1 libu2f-host-devel-1.1.10-lp152.4.3.1 as a component of openSUSE Leap 15.2 libu2f-host-doc-1.1.10-lp152.4.3.1 as a component of openSUSE Leap 15.2 libu2f-host0-1.1.10-lp152.4.3.1 as a component of openSUSE Leap 15.2 u2f-host-1.1.10-lp152.4.3.1 as a component of openSUSE Leap 15.2 Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could enable a malicious token to exploit a buffer overflow. An attacker could use this to attempt to execute malicious code using a crafted USB device masquerading as a security token on a computer where the affected library is currently in use. It is not possible to perform this attack with a genuine YubiKey. CVE-2018-20340 openSUSE Leap 15.2:libu2f-host-devel-1.1.10-lp152.4.3.1 openSUSE Leap 15.2:libu2f-host-doc-1.1.10-lp152.4.3.1 openSUSE Leap 15.2:libu2f-host0-1.1.10-lp152.4.3.1 openSUSE Leap 15.2:u2f-host-1.1.10-lp152.4.3.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QRDOETNQVM5LVLJRZMNGQEBNRFW4ZWEV/ https://www.suse.com/security/cve/CVE-2018-20340.html CVE-2018-20340 https://bugzilla.suse.com/1124781 SUSE Bug 1124781 In devs.c in Yubico libu2f-host before 1.1.8, the response to init is misparsed, leaking uninitialized stack memory back to the device. CVE-2019-9578 openSUSE Leap 15.2:libu2f-host-devel-1.1.10-lp152.4.3.1 openSUSE Leap 15.2:libu2f-host-doc-1.1.10-lp152.4.3.1 openSUSE Leap 15.2:libu2f-host0-1.1.10-lp152.4.3.1 openSUSE Leap 15.2:u2f-host-1.1.10-lp152.4.3.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QRDOETNQVM5LVLJRZMNGQEBNRFW4ZWEV/ https://www.suse.com/security/cve/CVE-2019-9578.html CVE-2019-9578 https://bugzilla.suse.com/1128140 SUSE Bug 1128140