Candidate: CVE-2018-20340
CRD: 2019-02-08 11:00:00 UTC
PublicDate: 2019-03-21 16:00:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20340
Description:
 Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could
 enable a malicious token to exploit a buffer overflow. An attacker could
 use this to attempt to execute malicious code using a crafted USB device
 masquerading as a security token on a computer where the affected library
 is currently in use. It is not possible to perform this attack with a
 genuine YubiKey.
Ubuntu-Description: 
Notes: 
 sbeattie> requires libpam-u2f setup or other yubikey based software
   applications. Browser U2F implmentations are NOT affected.
Bugs: 
 https://bugs.launchpad.net/ubuntu/+source/libu2f-host/+bug/1814153
Priority: medium
Discovered-by: Christian Reitter
Assigned-to: sbeattie
CVSS:
 nvd: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [6.8 MEDIUM]

Tags_libu2f-host: universe-binary
Patches_libu2f-host:
 upstream: https://github.com/Yubico/libu2f-host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27
upstream_libu2f-host: pending (1.1.7)
precise/esm_libu2f-host: DNE
trusty_libu2f-host: DNE
trusty/esm_libu2f-host: DNE
xenial_libu2f-host: ignored (end of standard support, was needed)
bionic_libu2f-host: released (1.1.4-1ubuntu0.1)
cosmic_libu2f-host: released (1.1.6-1ubuntu0.1)
disco_libu2f-host: not-affected (1.1.7-1)
eoan_libu2f-host: not-affected (1.1.7-1)
focal_libu2f-host: not-affected (1.1.7-1)
groovy_libu2f-host: not-affected (1.1.7-1)
hirsute_libu2f-host: not-affected (1.1.7-1)
impish_libu2f-host: not-affected (1.1.7-1)
jammy_libu2f-host: not-affected (1.1.7-1)
devel_libu2f-host: not-affected (1.1.7-1)