CVE-2018-20340

Priority
Description
Yubico libu2f-host 1.1.6 contains unchecked buffers in devs.c, which could
enable a malicious token to exploit a buffer overflow. An attacker could
use this to attempt to execute malicious code using a crafted USB device
masquerading as a security token on a computer where the affected library
is currently in use. It is not possible to perform this attack with a
genuine YubiKey.
Assigned-to
sbeattie
Notes
sbeattierequires libpam-u2f setup or other yubikey based software
applications. Browser U2F implmentations are NOT affected.
Package
Upstream:pending (1.1.7)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (1.1.4-1ubuntu0.1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (1.1.7-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (1.1.7-1)
Patches:
Upstream:https://github.com/Yubico/libu2f-host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
More Information

Updated: 2020-10-24 06:52:18 UTC (commit 69e225d81a6ee3e2e014950178db797c5d4e5009)