Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2019:1341-1

Опубликовано: 08 мая 2019
Источник: suse-cvrf

Описание

Security update for yubico-piv-tool

This update for yubico-piv-tool fixes the following issues:

Security issues fixed:

  • Fixed an buffer overflow and an out of bounds memory read in ykpiv_transfer_data(), which could be triggered by a malicious token. (CVE-2018-14779, bsc#1104809, YSA-2018-03)
  • Fixed an buffer overflow and an out of bounds memory read in _ykpiv_fetch_object(), which could be triggered by a malicious token. (CVE-2018-14780, bsc#1104811, YSA-2018-03)

This update was imported from the SUSE:SLE-15:Update update project.

Список пакетов

openSUSE Leap 15.0
libykcs11-1-1.5.0-lp150.2.3.1
libykcs11-devel-1.5.0-lp150.2.3.1
libykpiv-devel-1.5.0-lp150.2.3.1
libykpiv1-1.5.0-lp150.2.3.1
yubico-piv-tool-1.5.0-lp150.2.3.1

Ссылки

Описание

A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. The file lib/ykpiv.c contains the following code in the function `ykpiv_transfer_data()`: {% highlight c %} if(*out_len + recv_len - 2 > max_out) { fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *out_len + recv_len - 2, max_out); } if(out_data) { memcpy(out_data, data, recv_len - 2); out_data += recv_len - 2; *out_len += recv_len - 2; } {% endhighlight %} -- it is clearly checked whether the buffer is big enough to hold the data copied using `memcpy()`, but no error handling happens to avoid the `memcpy()` in such cases. This code path can be triggered with malicious data coming from a smartcard.

Затронутые продукты
openSUSE Leap 15.0:libykcs11-1-1.5.0-lp150.2.3.1
openSUSE Leap 15.0:libykcs11-devel-1.5.0-lp150.2.3.1
openSUSE Leap 15.0:libykpiv-devel-1.5.0-lp150.2.3.1
openSUSE Leap 15.0:libykpiv1-1.5.0-lp150.2.3.1
Ссылки

Описание

An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 smartcard driver. The file lib/ykpiv.c contains the following code in the function `_ykpiv_fetch_object()`: {% highlight c %} if(sw == SW_SUCCESS) { size_t outlen; int offs = _ykpiv_get_length(data + 1, &outlen); if(offs == 0) { return YKPIV_SIZE_ERROR; } memmove(data, data + 1 + offs, outlen); *len = outlen; return YKPIV_OK; } else { return YKPIV_GENERIC_ERROR; } {% endhighlight %} -- in the end, a `memmove()` occurs with a length retrieved from APDU data. This length is not checked for whether it is outside of the APDU data retrieved. Therefore the `memmove()` could copy bytes behind the allocated data buffer into this buffer.

Затронутые продукты
openSUSE Leap 15.0:libykcs11-1-1.5.0-lp150.2.3.1
openSUSE Leap 15.0:libykcs11-devel-1.5.0-lp150.2.3.1
openSUSE Leap 15.0:libykpiv-devel-1.5.0-lp150.2.3.1
openSUSE Leap 15.0:libykpiv1-1.5.0-lp150.2.3.1
Ссылки