Debian Bug report logs -
#666129
new upstream version fixes security problem with the secret file (CVE-2012-6140)
Reported by: Faidon Liambotis <paravoid@debian.org>
Date: Wed, 28 Mar 2012 22:24:01 UTC
Severity: critical
Tags: security
Found in version google-authenticator/20110413.68230188bdc7-1.1
Fixed in version google-authenticator/20130529-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Wed, 28 Mar 2012 22:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Faidon Liambotis <paravoid@debian.org>
:
New Bug report received and forwarded. Copy sent to LENART Janos <ocsi@debian.org>
.
(Wed, 28 Mar 2012 22:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpam-google-authenticator
Version: 20110413.68230188bdc7-1.1
Severity: wishlist
Hi,
I would like to have a newer version of google-authenticator in the
archive; the version currently in Debian is almost a year old and
several new features have been added to upstream's trunk (it's
unfortunate that upstream doesn't believe in "releases"â¦).
In particular, I was interested in having counter-based HOTP instead of
TOTP, since the box I want to use libpam-google-authenticator in doesn't
have an RTC and relying into not having network outages (for NTP) is a
no-go for this. I was happy to see that upstream supports this, only to
be disappointed that this isn't in Debian :-)
If you're busy, I can certainly help with the upload and do an NMU,
although I'm afraid I don't have the time or will to help with the
maintenance in general.
Thanks, and thank you for packaging google-authenticator.
Regards,
Faidon
Information forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Sat, 22 Sep 2012 07:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to rk <neoice@neoice.net>
:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>
.
(Sat, 22 Sep 2012 07:15:05 GMT) (full text, mbox, link).
Message #10 received at 666129@bugs.debian.org (full text, mbox, reply):
There is also a severe and somewhat undocumented security issue fixed
by the "user=" parameter added in this commit:
https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
Without this option, the SECRET file is required to be user-readable
which can expose the secret to an attacker under certain
configurations (notably when required for `sudo`, but not system
login).
Information forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Wed, 24 Oct 2012 16:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Phil Armstrong <phil@kantaka.co.uk>
:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>
.
(Wed, 24 Oct 2012 16:36:04 GMT) (full text, mbox, link).
Message #15 received at 666129@bugs.debian.org (full text, mbox, reply):
Package: libpam-google-authenticator
Version: 20110413.68230188bdc7-1.1
Followup-For: Bug #666129
Upstream released version 1.0 in May by the way:
http://code.google.com/p/google-authenticator/downloads/detail?name=libpam-google-authenticator-1.0-source.tar.bz2
cheers, Phil
Information forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Thu, 18 Apr 2013 07:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Alexander Wirt <formorer@debian.org>
:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>
.
(Thu, 18 Apr 2013 07:18:04 GMT) (full text, mbox, link).
Message #20 received at 666129@bugs.debian.org (full text, mbox, reply):
tag 666129 security
severity 666129 critical
retitle 666129 new upstream version fixes security problem with the secret file
thanks
On Sat, 22 Sep 2012, rk wrote:
> There is also a severe and somewhat undocumented security issue fixed
> by the "user=" parameter added in this commit:
> https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
>
> Without this option, the SECRET file is required to be user-readable
> which can expose the secret to an attacker under certain
> configurations (notably when required for `sudo`, but not system
> login).
This is indeed a security problem. Lenart, do you need any help to get the
package updated? I also think it doesn't make sense to ship the package in
this state with wheezy and there I asked for removal from testing.
Alex
Added tag(s) security.
Request was from Alexander Wirt <formorer@debian.org>
to control@bugs.debian.org
.
(Thu, 18 Apr 2013 07:18:07 GMT) (full text, mbox, link).
Severity set to 'critical' from 'wishlist'
Request was from Alexander Wirt <formorer@debian.org>
to control@bugs.debian.org
.
(Thu, 18 Apr 2013 07:18:08 GMT) (full text, mbox, link).
Changed Bug title to 'new upstream version fixes security problem with the secret file' from 'Please update to a newer upstream release'
Request was from Alexander Wirt <formorer@debian.org>
to control@bugs.debian.org
.
(Thu, 18 Apr 2013 07:18:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Thu, 18 Apr 2013 19:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>
.
(Thu, 18 Apr 2013 19:33:05 GMT) (full text, mbox, link).
Message #31 received at 666129@bugs.debian.org (full text, mbox, reply):
Control: retitle 666129 new upstream version fixes security problem with the secret file (CVE-2012-6140)
Hi all
On Thu, Apr 18, 2013 at 09:13:24AM +0200, Alexander Wirt wrote:
> tag 666129 security
> severity 666129 critical
> retitle 666129 new upstream version fixes security problem with the secret file
> thanks
>
> On Sat, 22 Sep 2012, rk wrote:
>
> > There is also a severe and somewhat undocumented security issue fixed
> > by the "user=" parameter added in this commit:
> > https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
> >
> > Without this option, the SECRET file is required to be user-readable
> > which can expose the secret to an attacker under certain
> > configurations (notably when required for `sudo`, but not system
> > login).
> This is indeed a security problem. Lenart, do you need any help to get the
> package updated? I also think it doesn't make sense to ship the package in
> this state with wheezy and there I asked for removal from testing.
A CVE was assigned for this issue: CVE-2012-6140, see[1].
[1]: http://marc.info/?l=oss-security&m=136630281802738&w=2
Regards,
Salvatore
Changed Bug title to 'new upstream version fixes security problem with the secret file (CVE-2012-6140)' from 'new upstream version fixes security problem with the secret file'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 666129-submit@bugs.debian.org
.
(Thu, 18 Apr 2013 19:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Mon, 27 May 2013 08:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Mr Allwyn Fernandes <dbwerwesklsdf@stobor.net>
:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>
.
(Mon, 27 May 2013 08:39:05 GMT) (full text, mbox, link).
Message #38 received at 666129@bugs.debian.org (full text, mbox, reply):
Hi Lenart,
Just wondering if you are planning to update google-authenticator to a newer
version, as per bugs #666129 and #660188, or if you mind if I do an NMU? I had
built a deb from git HEAD a few months ago, and have the relevant files handy
to submit if you don't have the time to look at it.
Cheers,
Allwyn.
Information forwarded
to debian-bugs-dist@lists.debian.org, LENART Janos <ocsi@debian.org>
:
Bug#666129
; Package libpam-google-authenticator
.
(Wed, 29 May 2013 21:06:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Janos LENART <ocsi@debian.org>
:
Extra info received and forwarded to list. Copy sent to LENART Janos <ocsi@debian.org>
.
(Wed, 29 May 2013 21:06:09 GMT) (full text, mbox, link).
Message #43 received at 666129@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
In progress, sorry for the delay
google-authenticator_20130529-1_amd64.changes uploaded successfully to
localhost
along with the files:
google-authenticator_20130529-1.dsc
google-authenticator_20130529.orig.tar.gz
google-authenticator_20130529-1.debian.tar.gz
libpam-google-authenticator_20130529-1_amd64.deb
Greetings,
Your Debian queue daemon (running on host franck.debian.org)
On 27 May 2013 09:29, Mr Allwyn Fernandes <dbwerwesklsdf@stobor.net> wrote:
> Hi Lenart,
>
> Just wondering if you are planning to update google-authenticator to a
> newer
> version, as per bugs #666129 and #660188, or if you mind if I do an NMU? I
> had
> built a deb from git HEAD a few months ago, and have the relevant files
> handy
> to submit if you don't have the time to look at it.
>
> Cheers,
>
> Allwyn.
>
--
LÉNÁRT, János
<ocsi@debian.org>
[Message part 2 (text/html, inline)]
Marked as fixed in versions google-authenticator/20130529-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 30 May 2013 05:27:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 30 May 2013 05:27:04 GMT) (full text, mbox, link).
Notification sent
to Faidon Liambotis <paravoid@debian.org>
:
Bug acknowledged by developer.
(Thu, 30 May 2013 05:27:05 GMT) (full text, mbox, link).
Message sent on
to Faidon Liambotis <paravoid@debian.org>
:
Bug#666129.
(Thu, 30 May 2013 05:27:08 GMT) (full text, mbox, link).
Message #52 received at 666129-submitter@bugs.debian.org (full text, mbox, reply):
close 666129 20130529-1
thanks
New version in unstable (20130529-1)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 07 Jul 2013 07:30:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:52:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.