[ASA-201902-7] libu2f-host: arbitrary code execution

Levente Polyak anthraxx at archlinux.org
Tue Feb 12 17:45:35 UTC 2019


Arch Linux Security Advisory ASA-201902-7
=========================================

Severity: High
Date    : 2019-02-11
CVE-ID  : CVE-2018-20340
Package : libu2f-host
Type    : arbitrary code execution
Remote  : No
Link    : https://security.archlinux.org/AVG-884

Summary
=======

The package libu2f-host before version 1.1.7-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 1.1.7-1.

# pacman -Syu "libu2f-host>=1.1.7-1"

The problem has been fixed upstream in version 1.1.7.

Workaround
==========

None.

Description
===========

Yubico library libu2f-host prior to version 1.1.7 contains an unchecked
buffer, which could allow a buffer overflow. Libu2f-host is a library
that implements the host party of the U2F protocol. This issue can
allow an attacker with a custom made malicious USB device masquerading
as a security key, and physical access to a computer where PAM U2F or
an application with libu2f-host integrated, to potentially execute
arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are
the most impacted since the arbitrary code could execute with elevated
privileges.

Impact
======

A malicious USB device can execute arbitrary code on the host.

References
==========

https://www.yubico.com/support/security-advisories/ysa-2019-01/
https://security.archlinux.org/CVE-2018-20340

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190212/712bf35e/attachment-0001.sig>


More information about the arch-security mailing list