Your message dated Sat, 20 Jul 2019 13:06:22 +0200
with message-id <20190720110622.tspjcdxkliwbl3gy@bogus>
and subject line Re: Bug#931991: libpam-u2f: CVE-2019-12209, CVE-2019-12210
has caused the Debian Bug report #931991,
regarding libpam-u2f: CVE-2019-12209, CVE-2019-12210
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931991: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931991
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-u2f
Version: 1.0.7-1
Severity: important
Tags: security
Control: not-found -1 1.0.8-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Yubico issued a new release of pam-u2f that fixes 2 security issues, both
locally-exploitable information disclosures (and write-access to debug log):
- - CVE-2019-12209 insecure debug file handling
pam-u2f attempts parsing of the configured authfile (default
~/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does
not properly verify that the path lacks symlinks pointing to other files on
the system owned by root.
If the debug option is enabled in the PAM configuration, part of the file
contents of a symlink target will be logged, possibly revealing sensitive
information.
- - CVE-2019-12210 debug file descriptor leak
When pam-u2f is configured with debug and a custom debug log file is set using
debug_file, that file descriptor is not closed when a new process is spawned.
This leads to the file descriptor being inherited into the child process; the
child process can then read from and write to it. This can leak sensitive
information and also, if written to, be used to fill the disk or plant
misinformation.
Should I make a version of the package for buster-security?
FWIW, those issues aren't exploitable in the default configuration,
but I'd rather not leave them at all.
Best,
nicoo
- -- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libpam-u2f depends on:
ii libc6 2.28-10
ii libpam0g 1.3.1-5
ii libu2f-host0 1.1.9-1
ii libu2f-server0 1.1.0-2
Versions of packages libpam-u2f recommends:
ii pamu2fcfg 1.0.7-1
libpam-u2f suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0p0TsRHG5pY29vQGRl
Ymlhbi5vcmcACgkQ5vmO4pLV7Mux3RAArcwtNCjWcZyQzwbwkdQItEUH4CoPZj2l
dR5kpaw16KPTzeeF0UEkVg1kkyALHkqkwra1nmu7hpHmTY9if+eXH94NDJh464K/
y7lmfaKdr3WrU5x1SHZUTn14FSvIqO78tvYaWmGa9yi1zICASqV9gjRtl9fW9U8x
CV865svOB/8qD+KKEmjHWgKYlN5gcoBrbaPS5kyI0p/I+uj8SbGWQdw8NLrR6Luz
5QAEjOQ1iA64f6vgkIiTVN06Q0nvdweBhNDlQa7VVPSLDDlgtBnDX/si58/KBzX1
34sMDQDeSBUBVVnH33UW/2AY+dHtIYzlFwrQhWEew04DgwlvV1I3p4QNHLOguMlA
nKQ2E2EIWnyX/nvX2idpUlqf8fo7n/dbncCk3/xpYvoXg4bJJovF03mHGvnGWC2j
q5oodLrHHO539ljPMTX6vWBy5xD1ojJeJU9E9aLQHVR1RnKnU7Fa/GH3HfPdx/Y4
d8HuWBchZYrB4b6qKCHXLrqCcDoYkVGniwKZOzizLprpni8Cm92hNsoPZ/fEZwl5
Hg0CYR9T0GiS02zTfheC8hlYL+zKwdWUUXW2030peM8OijwF+7BbgH4EBTZAXVQa
29OOKkKPFJJQCbcf5qraVV+2XMXM4EVbwsELbTIfkRrvSRralH08m5rf+f/WrbB4
MpYwcphPdpk=
=qg6q
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Hi Salvatore,
On Sat, Jul 13, 2019 at 02:58:45PM +0200, Salvatore Bonaccorso wrote:
> On Sat, Jul 13, 2019 at 02:40:28PM +0200, Nicolas Braud-Santoni wrote:
> > - - CVE-2019-12209 insecure debug file handling
> This was filled as #930021 ;-)
>
> > - - CVE-2019-12210 debug file descriptor leak
> This one as #930023.
OK, thanks for filing those, and sorry for the duplicate bug (closing it now).
> > Should I make a version of the package for buster-security?
> > FWIW, those issues aren't exploitable in the default configuration,
> > but I'd rather not leave them at all.
>
> The issues do not really warrant a DSA. But they can be fixed via an
> upcoming point release for both buster and stretch.
Thanks for the information, I'm currently preparing uploads.
Best,
nicoo
signature.asc
Description: PGP signature
--- End Message ---
