[Pkg-auth-maintainers] Bug#926551: libykpiv1: Security issues in versions prior to 1.7.0

Nicolas Braud-Santoni nicoo at debian.org
Sat Apr 6 21:15:09 BST 2019 

Package: libykpiv1
Version: 1.6.2-1
Severity: serious
Tags: security buster sid upstream fixed-upstream pending
Justification: Security issue

Hi,

Yubico released a new version of libykpiv, mentionning “security fixes” in
the NEWS file, but without publishing a new security advisory.

I believe this refers to the following issues (quoting changelog entries):

* Memory unsafety:
	* lib/internal.h, lib/ykpiv.c: lib: tlv length buffer checks
	* lib/internal.h, lib/util.c: lib: correct overflow checks in _write_certificate
	* lib/util.c, lib/ykpiv.c: lib: resolves potential reads of
  	uninitialized data

* Correctly erasing secrets from memory after use:
  * lib/util.c: lib: clear secrets in set_protected_mgm
	* lib/ykpiv.c: lib: clear secrets in ykpiv_import_private_key
	* lib/ykpiv.c: lib: clear secrets in auth api
	* lib/internal.c, lib/ykpiv.c: lib: clear buffers containing key
	  material
	* lib/internal.h, lib/util.c: lib: use secure zero memory platform
  	functions

* lib/ykpiv.c: lib: check internal authentication crypt errors


Given the absence of an advisory, I assume those issues are not known to be
exploitable.  However, I believe it would be worth fixing them before the
release of Buster.

Please let me know if a fix should be backported to stretch.


Best,

  nicoo


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libykpiv1 depends on:
ii  libc6         2.28-8
ii  libpcsclite1  1.8.24-1
ii  libssl1.1     1.1.1b-1

Versions of packages libykpiv1 recommends:
ii  pcscd  1.8.24-1

libykpiv1 suggests no packages.

-- no debconf information

More information about the Pkg-auth-maintainers mailing list