USN-4846-1: Yubico PIV Tool vulnerabilities
15 March 2021
Yubico PIV Tool could be made to crash or run programs if it received specially crafted input.
Releases
Packages
- yubico-piv-tool - Command line tool for the YubiKey NEO PIV applet
Details
It was discovered that libykpiv, a supporting library of the Yubico PIV
tool and YubiKey PIV Manager, mishandled specially crafted input. An
attacker with a custom-made, malicious USB device could potentially execute
arbitrary code on a computer running the Yubico PIV Tool or Yubikey PIV
Manager.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
libykpiv1
-
1.0.3-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-4276-1: yubico-piv-tool, libykpiv-dev, ykcs11, libykpiv1