Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2019-12209

Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.

Related bugs and status

CVE-2019-12209 (Candidate) is related to these bugs:

Bug #1831713: Security update to libpam-u2f from Yubico

Summary				In	Importance	Status
	1831713	Security update to libpam-u2f from Yubico		pam-u2f (Ubuntu)	Undecided	Confirmed

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://developers.yub...
CONFIRM: https://github.com/Yub...
MLIST: [oss-security] 2019060...
FEDORA: FEDORA-2019-b6d3c8b0a8
SUSE: openSUSE-SU-2019:1708
SUSE: openSUSE-SU-2019:1725
FEDORA: FEDORA-2019-cd8f4b9568