Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

new upstream version fixes security problem with the secret file (CVE-2012-6140)

Related Vulnerabilities: CVE-2012-6140  

Source

Debian Bug report logs - #666129
new upstream version fixes security problem with the secret file (CVE-2012-6140)

version graph

Package: libpam-google-authenticator; Maintainer for libpam-google-authenticator is Janos Lenart <ocsi@debian.org>; Source for libpam-google-authenticator is src:google-authenticator (PTS, buildd, popcon).

Reported by: Faidon Liambotis <paravoid@debian.org>

Date: Wed, 28 Mar 2012 22:24:01 UTC

Severity: critical

Tags: security

Found in version google-authenticator/20110413.68230188bdc7-1.1

Fixed in version google-authenticator/20130529-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Wed, 28 Mar 2012 22:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Faidon Liambotis <paravoid@debian.org>:
New Bug report received and forwarded. Copy sent to LENART Janos <ocsi@debian.org>. (Wed, 28 Mar 2012 22:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Faidon Liambotis <paravoid@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Please update to a newer upstream release
Date: Thu, 29 Mar 2012 00:59:56 +0300
Package: libpam-google-authenticator
Version: 20110413.68230188bdc7-1.1
Severity: wishlist

Hi,

I would like to have a newer version of google-authenticator in the
archive; the version currently in Debian is almost a year old and
several new features have been added to upstream's trunk (it's
unfortunate that upstream doesn't believe in "releases"…).

In particular, I was interested in having counter-based HOTP instead of
TOTP, since the box I want to use libpam-google-authenticator in doesn't
have an RTC and relying into not having network outages (for NTP) is a
no-go for this. I was happy to see that upstream supports this, only to
be disappointed that this isn't in Debian :-)

If you're busy, I can certainly help with the upload and do an NMU,
although I'm afraid I don't have the time or will to help with the
maintenance in general.

Thanks, and thank you for packaging google-authenticator. 

Regards,
Faidon

Information forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Sat, 22 Sep 2012 07:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to rk <neoice@neoice.net>:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>. (Sat, 22 Sep 2012 07:15:05 GMT) (full text, mbox, link).

Message #10 received at 666129@bugs.debian.org (full text, mbox, reply):

From: rk <neoice@neoice.net>
To: 666129@bugs.debian.org
Subject: RE: Please update to a newer upstream release
Date: Sat, 22 Sep 2012 00:12:10 -0700
There is also a severe and somewhat undocumented security issue fixed
by the "user=" parameter added in this commit:
https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8

Without this option, the SECRET file is required to be user-readable
which can expose the secret to an attacker under certain
configurations (notably when required for `sudo`, but not system
login).

Information forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Wed, 24 Oct 2012 16:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Phil Armstrong <phil@kantaka.co.uk>:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>. (Wed, 24 Oct 2012 16:36:04 GMT) (full text, mbox, link).

Message #15 received at 666129@bugs.debian.org (full text, mbox, reply):

From: Phil Armstrong <phil@kantaka.co.uk>
To: Debian Bug Tracking System <666129@bugs.debian.org>
Subject: Re: Please update to a newer upstream release
Date: Wed, 24 Oct 2012 16:42:55 +0100
Package: libpam-google-authenticator
Version: 20110413.68230188bdc7-1.1
Followup-For: Bug #666129

Upstream released version 1.0 in May by the way:

  http://code.google.com/p/google-authenticator/downloads/detail?name=libpam-google-authenticator-1.0-source.tar.bz2

cheers, Phil

Information forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Thu, 18 Apr 2013 07:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>. (Thu, 18 Apr 2013 07:18:04 GMT) (full text, mbox, link).

Message #20 received at 666129@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>
To: rk <neoice@neoice.net>
Cc: 666129@bugs.debian.org
Subject: Re: Bug#666129: Please update to a newer upstream release
Date: Thu, 18 Apr 2013 09:13:24 +0200
tag 666129 security
severity 666129 critical
retitle 666129 new upstream version fixes security problem with the secret file
thanks

On Sat, 22 Sep 2012, rk wrote:

> There is also a severe and somewhat undocumented security issue fixed
> by the "user=" parameter added in this commit:
> https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
> 
> Without this option, the SECRET file is required to be user-readable
> which can expose the secret to an attacker under certain
> configurations (notably when required for `sudo`, but not system
> login).
This is indeed a security problem. Lenart, do you need any help to get the
package updated? I also think it doesn't make sense to ship the package in
this state with wheezy and there I asked for removal from testing.

Alex

Added tag(s) security. Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Thu, 18 Apr 2013 07:18:07 GMT) (full text, mbox, link).

Severity set to 'critical' from 'wishlist' Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Thu, 18 Apr 2013 07:18:08 GMT) (full text, mbox, link).

Changed Bug title to 'new upstream version fixes security problem with the secret file' from 'Please update to a newer upstream release' Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Thu, 18 Apr 2013 07:18:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Thu, 18 Apr 2013 19:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>. (Thu, 18 Apr 2013 19:33:05 GMT) (full text, mbox, link).

Message #31 received at 666129@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Alexander Wirt <formorer@debian.org>, 666129@bugs.debian.org
Cc: rk <neoice@neoice.net>
Subject: Re: Bug#666129: Please update to a newer upstream release
Date: Thu, 18 Apr 2013 21:28:10 +0200
Control: retitle 666129 new upstream version fixes security problem with the secret file (CVE-2012-6140)

Hi all

On Thu, Apr 18, 2013 at 09:13:24AM +0200, Alexander Wirt wrote:
> tag 666129 security
> severity 666129 critical
> retitle 666129 new upstream version fixes security problem with the secret file
> thanks
> 
> On Sat, 22 Sep 2012, rk wrote:
> 
> > There is also a severe and somewhat undocumented security issue fixed
> > by the "user=" parameter added in this commit:
> > https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
> > 
> > Without this option, the SECRET file is required to be user-readable
> > which can expose the secret to an attacker under certain
> > configurations (notably when required for `sudo`, but not system
> > login).
> This is indeed a security problem. Lenart, do you need any help to get the
> package updated? I also think it doesn't make sense to ship the package in
> this state with wheezy and there I asked for removal from testing.

A CVE was assigned for this issue: CVE-2012-6140, see[1].

 [1]: http://marc.info/?l=oss-security&m=136630281802738&w=2

Regards,
Salvatore

Changed Bug title to 'new upstream version fixes security problem with the secret file (CVE-2012-6140)' from 'new upstream version fixes security problem with the secret file' Request was from Salvatore Bonaccorso <carnil@debian.org> to 666129-submit@bugs.debian.org. (Thu, 18 Apr 2013 19:33:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Mon, 27 May 2013 08:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Mr Allwyn Fernandes <dbwerwesklsdf@stobor.net>:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>. (Mon, 27 May 2013 08:39:05 GMT) (full text, mbox, link).

Message #38 received at 666129@bugs.debian.org (full text, mbox, reply):

From: Mr Allwyn Fernandes <dbwerwesklsdf@stobor.net>
To: LENART Janos <ocsi@debian.org>, 666129@bugs.debian.org
Subject: NMU to latest git?
Date: Mon, 27 May 2013 18:29:01 +1000
Hi Lenart,

Just wondering if you are planning to update google-authenticator to a newer 
version, as per bugs #666129 and #660188, or if you mind if I do an NMU? I had 
built a deb from git HEAD a few months ago, and have the relevant files handy 
to submit if you don't have the time to look at it.

Cheers,

Allwyn.

Information forwarded to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>:
Bug#666129; Package libpam-google-authenticator. (Wed, 29 May 2013 21:06:09 GMT) (full text, mbox, link).

Acknowledgement sent to Janos LENART <ocsi@debian.org>:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>. (Wed, 29 May 2013 21:06:09 GMT) (full text, mbox, link).

Message #43 received at 666129@bugs.debian.org (full text, mbox, reply):

From: Janos LENART <ocsi@debian.org>
To: Mr Allwyn Fernandes <dbwerwesklsdf@stobor.net>, 666129@bugs.debian.org
Subject: Re: Bug#666129: NMU to latest git?
Date: Wed, 29 May 2013 21:56:43 +0100
[Message part 1 (text/plain, inline)]
In progress, sorry for the delay
google-authenticator_20130529-1_amd64.changes uploaded successfully to
localhost
along with the files:
  google-authenticator_20130529-1.dsc
  google-authenticator_20130529.orig.tar.gz
  google-authenticator_20130529-1.debian.tar.gz
  libpam-google-authenticator_20130529-1_amd64.deb

Greetings,

        Your Debian queue daemon (running on host franck.debian.org)


On 27 May 2013 09:29, Mr Allwyn Fernandes <dbwerwesklsdf@stobor.net> wrote:

> Hi Lenart,
>
> Just wondering if you are planning to update google-authenticator to a
> newer
> version, as per bugs #666129 and #660188, or if you mind if I do an NMU? I
> had
> built a deb from git HEAD a few months ago, and have the relevant files
> handy
> to submit if you don't have the time to look at it.
>
> Cheers,
>
> Allwyn.
>



-- 
LÉNÁRT, János
<ocsi@debian.org>

[Message part 2 (text/html, inline)]

Marked as fixed in versions google-authenticator/20130529-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 30 May 2013 05:27:04 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 30 May 2013 05:27:04 GMT) (full text, mbox, link).

Notification sent to Faidon Liambotis <paravoid@debian.org>:
Bug acknowledged by developer. (Thu, 30 May 2013 05:27:05 GMT) (full text, mbox, link).

Message sent on to Faidon Liambotis <paravoid@debian.org>:
Bug#666129. (Thu, 30 May 2013 05:27:08 GMT) (full text, mbox, link).

Message #52 received at 666129-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 666129-submitter@bugs.debian.org
Subject: closing 666129
Date: Thu, 30 May 2013 07:23:03 +0200
close 666129 20130529-1
thanks

New version in unstable (20130529-1)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Jul 2013 07:30:35 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:52:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started