Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 687400 (CVE-2019-12209, CVE-2019-12210)

Summary: <sys-auth/pam_u2f-1.0.8: multiple vulnerabilities (CVE-2019-{12210,12209})
Product: Gentoo Security Reporter: Göktürk Yüksek <gokturk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gokturk, security
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=713332
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Göktürk Yüksek archtester gentoo-dev 2019-06-04 23:19:19 UTC
Multiple vulnerabilities identified for <=sys-auth/pam_u2f-1.0.8.

CVE-2019-12210 (https://nvd.nist.gov/vuln/detail/CVE-2019-12210): In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.

CVE-2019-12209 (https://nvd.nist.gov/vuln/detail/CVE-2019-12209): Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.
Comment 1 Larry the Git Cow gentoo-dev 2019-06-04 23:23:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8a6efc572d98c67ed5e09275de6ee6aa64a4611

commit d8a6efc572d98c67ed5e09275de6ee6aa64a4611
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2019-06-04 23:23:22 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2019-06-04 23:23:22 +0000

    sys-auth/pam_u2f: bump to 1.0.8 #687400
    
    Version 1.0.8 resolves the following CVEs: CVE-2019-12209,
    CVE-2019-12210.
    
    Bug: https://bugs.gentoo.org/687400
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 sys-auth/pam_u2f/Manifest             |  1 +
 sys-auth/pam_u2f/pam_u2f-1.0.8.ebuild | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 21:54:34 UTC
@maintainer(s), please let us know if you're ready for stabilisation, or call for it yourself.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 01:39:03 UTC
@maintainer(s), please cleanup
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 03:33:59 UTC
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 5 Larry the Git Cow gentoo-dev 2020-05-06 01:52:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9151169ec4bd6c849f8f9b01c595e960f2418795

commit 9151169ec4bd6c849f8f9b01c595e960f2418795
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2020-05-06 01:51:26 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2020-05-06 01:51:48 +0000

    sys-auth/pam_u2f: clean vulnerable versions #687400
    
    Bug: https://bugs.gentoo.org/687400
    Package-Manager: Portage-2.3.69, Repoman-2.3.14
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 sys-auth/pam_u2f/Manifest                |  3 ---
 sys-auth/pam_u2f/pam_u2f-1.0.4-r1.ebuild | 35 --------------------------------
 sys-auth/pam_u2f/pam_u2f-1.0.6.ebuild    | 35 --------------------------------
 sys-auth/pam_u2f/pam_u2f-1.0.7.ebuild    | 35 --------------------------------
 4 files changed, 108 deletions(-)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-06 01:53:09 UTC
Thanks!