FYI On 04/18/2013 01:45 PM, Jan Lieskovsky wrote: > Hello Kurt, Steve, Alexander, vendors, > > as noted in [1]: > > An information disclosure file was found in the way google-authenticator, > a pluggable authentication module (PAM) which allows login using one-time > passcodes conforming to the open standards developed by the Initiative for > Open Authentication (OATH), performed management of its secret / state file > in certain configurations. Due the lack of 'user=' option the secret file > was previously required to be user-readable, allowing (in certain cases) > a local attacker to obtain the (pre)shared client-to-authentication-server > secret, possibly leading to victim's account impersonation. > > A different vulnerability than CVE-2013-0258. > > References: > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129 > [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 > [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20 > [4] https://bugzilla.redhat.com/show_bug.cgi?id=953505 > > Relevant upstream patch: > [5] > https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 > > @Alexander - since I am not sure I have described the attack vector above > properly, please correct me if / where required. > > @Kurt * the CVE-2012- identifier should be allocated to this issue, since > the security implications of this problem are for the first time > mentioned here: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 (2012-09-22), > > * from what I have looked, there doesn't seem to be: > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=authenticator > > a CVE identifier allocated to this issue yet (as noted above > CVE-2013-0258 from that list is different issue). > > => could you allocate one? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team
-- Michael Pasternak RedHat, ENG-Virtualization R&D _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel