ASA-201902-7 generated external raw

[ASA-201902-7] libu2f-host: arbitrary code execution
Arch Linux Security Advisory ASA-201902-7 ========================================= Severity: High Date : 2019-02-11 CVE-ID : CVE-2018-20340 Package : libu2f-host Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-884 Summary ======= The package <a href="/package/libu2f-host">libu2f-host</a> before version 1.1.7-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.1.7-1. # pacman -Syu "libu2f-host>=1.1.7-1" The problem has been fixed upstream in version 1.1.7. Workaround ========== None. Description =========== Yubico library <a href="/package/libu2f-host">libu2f-host</a> prior to version 1.1.7 contains an unchecked buffer, which could allow a buffer overflow. <a href="/package/libu2f-host">Libu2f-host</a> is a library that implements the host party of the U2F protocol. This issue can allow an attacker with a custom made malicious USB device masquerading as a security key, and physical access to a computer where PAM U2F or an application with <a href="/package/libu2f-host">libu2f-host</a> integrated, to potentially execute arbitrary code on that computer. Users of the YubiKey PAM U2F Tool are the most impacted since the arbitrary code could execute with elevated privileges. Impact ====== A malicious USB device can execute arbitrary code on the host. References ========== https://www.yubico.com/support/security-advisories/ysa-2019-01/ https://security.archlinux.org/CVE-2018-20340