[Pkg-auth-maintainers] Bug#906128: libykpiv1 impacted by CVE-2018-14779 and CVE-2018-14780

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Tue Aug 14 17:39:43 BST 2018


Package: libykpiv1
Severity: serious
Tags: security pending stretch buster sid
Justification: security

libykpiv1 versions below 1.6.0 are affected by a buffer overflow, exploitable by
malicious USB devices, that can lead to arbitrary code execution.

I will upload the fixed upstream version later today, and coordinate with
the security team to get fixed in stretch and jessie-backports


Best,

  nicoo

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libykpiv1 depends on:
ii  libc6         2.27-5
ii  libpcsclite1  1.8.23-3
ii  libssl1.1     1.1.0h-4

Versions of packages libykpiv1 recommends:
ii  pcscd  1.8.23-3

libykpiv1 suggests no packages.



More information about the Pkg-auth-maintainers mailing list