Security update for libu2f-host

Announcement ID:	SUSE-SU-2021:1755-1
Rating:	moderate
References:	bsc#1124781 bsc#1128140 bsc#1184648 jsc#ECO-3687
Cross-References:	CVE-2018-20340 CVE-2019-9578
CVSS scores:	CVE-2018-20340 ( SUSE ): 6.4 CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-20340 ( NVD ): 6.8 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-9578 ( SUSE ): 2.1 CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2019-9578 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Basesystem Module 15-SP2 Basesystem Module 15-SP3 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2

An update that solves two vulnerabilities, contains one feature and has one security fix can now be installed.

Description:

This update for libu2f-host fixes the following issues:

This update ships the u2f-host package (jsc#ECO-3687 bsc#1184648)

Version 1.1.10 (released 2019-05-15)

• Add new devices to udev rules.
• Fix a potentially uninitialized buffer (CVE-2019-9578, bsc#1128140)

Version 1.1.9 (released 2019-03-06)

• Fix CID copying from the init response, which broke compatibility with some devices.

Version 1.1.8 (released 2019-03-05)

• Add udev rules
• Drop 70-old-u2f.rules and use 70-u2f.rules for everything
• Use a random nonce for setting up CID to prevent fingerprinting
• CVE-2019-9578: Parse the response to init in a more stable way to prevent leakage of uninitialized stack memory back to the device (bsc#1128140).

Version 1.1.7 (released 2019-01-08)

• Fix for trusting length from device in device init.
• Fix for buffer overflow when receiving data from device. (YSA-2019-01, CVE-2018-20340, bsc#1124781)

• Add udev rules for some new devices.

• Add udev rule for Feitian ePass FIDO

• Add a timeout to the register and authenticate actions.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1755=1
• Basesystem Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1755=1

Package List:

• Basesystem Module 15-SP2 (aarch64 ppc64le s390x x86_64)
  • libu2f-host-debuginfo-1.1.10-3.9.1
  • libu2f-host-debugsource-1.1.10-3.9.1
  • libu2f-host0-1.1.10-3.9.1
  • libu2f-host-devel-1.1.10-3.9.1
  • u2f-host-debuginfo-1.1.10-3.9.1
  • libu2f-host0-debuginfo-1.1.10-3.9.1
  • u2f-host-1.1.10-3.9.1
• Basesystem Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • libu2f-host-debuginfo-1.1.10-3.9.1
  • libu2f-host-debugsource-1.1.10-3.9.1
  • libu2f-host0-1.1.10-3.9.1
  • u2f-host-debuginfo-1.1.10-3.9.1
  • libu2f-host-devel-1.1.10-3.9.1
  • libu2f-host0-debuginfo-1.1.10-3.9.1
  • u2f-host-1.1.10-3.9.1

References:

• https://www.suse.com/security/cve/CVE-2018-20340.html
• https://www.suse.com/security/cve/CVE-2019-9578.html
• https://bugzilla.suse.com/show_bug.cgi?id=1124781
• https://bugzilla.suse.com/show_bug.cgi?id=1128140
• https://bugzilla.suse.com/show_bug.cgi?id=1184648
• https://jira.suse.com/browse/ECO-3687