Bug 12873

Summary: oath-toolkit new security issue CVE-2013-7322
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: ennael1, marc.lattemann, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/588030/
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
Source RPM: oath-toolkit-2.4.0-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-02-24 22:50:33 CET 
Fedora has issued an advisory on February 14:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128934.html

The issue is fixed upstream in 2.4.1 and a patch is available.

The patch is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1063083

Updated packages uploaded for Mageia 4 and Cauldron.

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated oath-toolkit packages fix security vulnerability:

It was found that comments (lines starting with a hash) in /etc/users.oath
could prevent one-time-passwords (OTP) from being invalidated, leaving the OTP
vulnerable to replay attacks (CVE-2013-7322).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7322
http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html
http://www.nongnu.org/oath-toolkit/NEWS.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128934.html
========================

Updated packages in core/updates_testing:
========================
oath-toolkit-1.12.6-2.1.mga3
pam_oath-1.12.6-2.1.mga3
liboath0-1.12.6-2.1.mga3
liboath-devel-1.12.6-2.1.mga3
oath-toolkit-2.4.1-1.mga4
pam_oath-2.4.1-1.mga4
liboath0-2.4.1-1.mga4
liboath-devel-2.4.1-1.mga4

from SRPMS:
oath-toolkit-1.12.6-2.1.mga3.src.rpm
oath-toolkit-2.4.1-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-24 22:50:39 CET

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-02-25 09:01:32 CET 
Another first time test.

Some useful info here: http://www.nongnu.org/oath-toolkit/oathtool.1.html
Comment 2 Anne Nicolas 2014-02-25 09:25:17 CET 
Here is an easy howto to follow for testing.

Applied on Mageia 4 64

$  oathtool 00
328482
$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
$ oathtool -c 5 3132333435363738393031323334353637383930
254676
$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
$  oathtool --totp 00
209837
$ oathtool --totp --time-step-size=45s 00
344050
$           109841
bash: 109841 : commande introuvable
$ oathtool --totp --time-step-size=45s 00
344050
$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
354641
$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037


So seems ok here

CC: (none) => ennael1
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 Anne Nicolas 2014-02-25 09:33:11 CET 
[a@localhost ~]$ oathtool 00
328482
[a@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[a@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[a@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
[a@localhost ~]$ oathtool --totp 00
499684
[a@localhost ~]$ oathtool --totp --time-step-size=45s 00
175160
[a@localhost ~]$ oathtool --totp --time-step-size=45s 00
175160
[a@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
615660
[a@localhost ~]$  oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

validated on Mageia 4 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 4 David Walser 2014-02-25 17:50:11 CET 
Testing complete on Mageia 3 i586.

[david@mageia3 ~]$ oathtool 00
328482
[david@mageia3 ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[david@mageia3 ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[david@mageia3 ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
[david@mageia3 ~]$ oathtool --totp 00
259145
[david@mageia3 ~]$ oathtool --totp --time-step-size=45s 00
237360
[david@mageia3 ~]$ oathtool --totp --time-step-size=45s 00
237360
[david@mageia3 ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
383294
[david@mageia3 ~]$  oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037
Comment 5 Marc Lattemann 2014-02-25 22:15:30 CET 
testing complete on Mageia 3 x86_64:

[marc@localhost ~]$  oathtool 00
328482
[marc@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[marc@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[marc@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930969429
3
[marc@localhost ~]$ oathtool --totp 00
605502
[marc@localhost ~]$ oathtool --totp --time-step-size=45s 00
387270
[marc@localhost ~]$ oathtool --totp --time-step-size=45s 00
125716
[marc@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
184312
[marc@localhost ~]$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

looks good? Adding tag for mga3 32bit according to comment #4 as well.

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok

Comment 6 RĂ©mi Verschelde 2014-02-25 22:35:04 CET 
Validating, advisory uploaded. Please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
CC: (none) => remi, sysadmin-bugs

Comment 7 Thomas Backlund 2014-02-25 23:23:48 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0101.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED