Ubuntu
pam-u2f package

Security update to libpam-u2f from Yubico

Bug #1831713 reported by Gabriel Kihlman
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam-u2f (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Hi

Yubico have released version 1.0.8 of pam-u2f containing two security fixes that together could allow a local user to read any file on the filesystem if the debug variable and the debug_file variables have been set in the pam module configuration. Also, the authfile setting file in the users home directory was parsed as root and would follow symlinks which could be abused in many ways.

https://developers.yubico.com/pam-u2f/Release_Notes.html

This was discovered by SUSE and they will make a post to oss-security@ soon.

Release tar ball https://developers.yubico.com/pam-u2f/Releases/pam_u2f-1.0.8.tar.gz

Commit fix for CVE-2019-12210:
https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62

Commit fix for CVE-2019-12209:
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3

Another minor security fix that also went in the release:
https://github.com/Yubico/pam-u2f/commit/aab0c31a3bfed8912a271685d6ec909f61380155

Cheers,
Gabriel

CVE References

Gabriel Kihlman (nevun)
information type: Private Security → Public Security
Revision history for this message
Mike Salvatore (mikesalvatore) wrote :

CVE-2019-12210
CVE-2019-12209

Eduardo Barretto (ebarretto)
Changed in pam-u2f (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.