Package: libpam-u2f Version: 1.0.7-1 Severity: important Tags: security Control: not-found -1 1.0.8-1
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yubico issued a new release of pam-u2f that fixes 2 security issues, both locally-exploitable information disclosures (and write-access to debug log): - - CVE-2019-12209 insecure debug file handling pam-u2f attempts parsing of the configured authfile (default ~/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information. - - CVE-2019-12210 debug file descriptor leak When pam-u2f is configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation. Should I make a version of the package for buster-security? FWIW, those issues aren't exploitable in the default configuration, but I'd rather not leave them at all. Best, nicoo - -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libpam-u2f depends on: ii libc6 2.28-10 ii libpam0g 1.3.1-5 ii libu2f-host0 1.1.9-1 ii libu2f-server0 1.1.0-2 Versions of packages libpam-u2f recommends: ii pamu2fcfg 1.0.7-1 libpam-u2f suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAl0p0TsRHG5pY29vQGRl Ymlhbi5vcmcACgkQ5vmO4pLV7Mux3RAArcwtNCjWcZyQzwbwkdQItEUH4CoPZj2l dR5kpaw16KPTzeeF0UEkVg1kkyALHkqkwra1nmu7hpHmTY9if+eXH94NDJh464K/ y7lmfaKdr3WrU5x1SHZUTn14FSvIqO78tvYaWmGa9yi1zICASqV9gjRtl9fW9U8x CV865svOB/8qD+KKEmjHWgKYlN5gcoBrbaPS5kyI0p/I+uj8SbGWQdw8NLrR6Luz 5QAEjOQ1iA64f6vgkIiTVN06Q0nvdweBhNDlQa7VVPSLDDlgtBnDX/si58/KBzX1 34sMDQDeSBUBVVnH33UW/2AY+dHtIYzlFwrQhWEew04DgwlvV1I3p4QNHLOguMlA nKQ2E2EIWnyX/nvX2idpUlqf8fo7n/dbncCk3/xpYvoXg4bJJovF03mHGvnGWC2j q5oodLrHHO539ljPMTX6vWBy5xD1ojJeJU9E9aLQHVR1RnKnU7Fa/GH3HfPdx/Y4 d8HuWBchZYrB4b6qKCHXLrqCcDoYkVGniwKZOzizLprpni8Cm92hNsoPZ/fEZwl5 Hg0CYR9T0GiS02zTfheC8hlYL+zKwdWUUXW2030peM8OijwF+7BbgH4EBTZAXVQa 29OOKkKPFJJQCbcf5qraVV+2XMXM4EVbwsELbTIfkRrvSRralH08m5rf+f/WrbB4 MpYwcphPdpk= =qg6q -----END PGP SIGNATURE-----
