infinite loop for particular command line arguments

[invd]

The optind--; operations in ykpers-args.c can lead to infinite loops. This happens if ykpersonalize is invoked with -a or -c command line parameters that are directly followed by another - character. The argument parsing via getopt() will then repeatedly loop over the same argument.

As briefly discussed with @nevun, this may be inconvenient during practical use if typos in the parameter spacing happen, but I see no apparent security impact.

The issue was found during fuzzing.

Relevant code: https://github.com/Yubico/yubikey-personalization/blob/621279725f71720876ec00b21fea91b8b22a92fa/ykpers-args.c#L409 https://github.com/Yubico/yubikey-personalization/blob/621279725f71720876ec00b21fea91b8b22a92fa/ykpers-args.c#L417

Issue examples:

ykpersonalize -a-

This prints debug info about the Yubikey and then runs with 100% CPU usage (1 thread).

ykpersonalize -c-

This endlessly asks for Access code, 6 bytes (12 characters hex) : and otherwise idles.

Precondition: a Yubikey is present. Version: this was tested with v1.19.3 and v1.20.0 .