12873 – oath-toolkit new security issue CVE-2013-7322

Bug 12873 - oath-toolkit new security issue CVE-2013-7322

Summary: oath-toolkit new security issue CVE-2013-7322

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/588030/
Whiteboard:	MGA3TOO has_procedure mga4-64-ok mga4...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-02-24 22:50 CET by David Walser
Modified:	2014-02-25 23:23 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	oath-toolkit-2.4.0-2.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-02-24 22:50:33 CET

Fedora has issued an advisory on February 14:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128934.html

The issue is fixed upstream in 2.4.1 and a patch is available.

The patch is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1063083

Updated packages uploaded for Mageia 4 and Cauldron.

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated oath-toolkit packages fix security vulnerability:

It was found that comments (lines starting with a hash) in /etc/users.oath
could prevent one-time-passwords (OTP) from being invalidated, leaving the OTP
vulnerable to replay attacks (CVE-2013-7322).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7322
http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html
http://www.nongnu.org/oath-toolkit/NEWS.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128934.html
========================

Updated packages in core/updates_testing:
========================
oath-toolkit-1.12.6-2.1.mga3
pam_oath-1.12.6-2.1.mga3
liboath0-1.12.6-2.1.mga3
liboath-devel-1.12.6-2.1.mga3
oath-toolkit-2.4.1-1.mga4
pam_oath-2.4.1-1.mga4
liboath0-2.4.1-1.mga4
liboath-devel-2.4.1-1.mga4

from SRPMS:
oath-toolkit-1.12.6-2.1.mga3.src.rpm
oath-toolkit-2.4.1-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-02-24 22:50:39 CET

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-02-25 09:01:32 CET

Another first time test.

Some useful info here: http://www.nongnu.org/oath-toolkit/oathtool.1.html

Comment 2 Anne Nicolas 2014-02-25 09:25:17 CET

Here is an easy howto to follow for testing.

Applied on Mageia 4 64

$  oathtool 00
328482
$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
$ oathtool -c 5 3132333435363738393031323334353637383930
254676
$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
$  oathtool --totp 00
209837
$ oathtool --totp --time-step-size=45s 00
344050
$           109841
bash: 109841 : commande introuvable
$ oathtool --totp --time-step-size=45s 00
344050
$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
354641
$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037


So seems ok here

CC: (none) => ennael1
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 3 Anne Nicolas 2014-02-25 09:33:11 CET

[a@localhost ~]$ oathtool 00
328482
[a@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[a@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[a@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
[a@localhost ~]$ oathtool --totp 00
499684
[a@localhost ~]$ oathtool --totp --time-step-size=45s 00
175160
[a@localhost ~]$ oathtool --totp --time-step-size=45s 00
175160
[a@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
615660
[a@localhost ~]$  oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

validated on Mageia 4 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 4 David Walser 2014-02-25 17:50:11 CET

Testing complete on Mageia 3 i586.

[david@mageia3 ~]$ oathtool 00
328482
[david@mageia3 ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[david@mageia3 ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[david@mageia3 ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
[david@mageia3 ~]$ oathtool --totp 00
259145
[david@mageia3 ~]$ oathtool --totp --time-step-size=45s 00
237360
[david@mageia3 ~]$ oathtool --totp --time-step-size=45s 00
237360
[david@mageia3 ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
383294
[david@mageia3 ~]$  oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

Comment 5 Marc Lattemann 2014-02-25 22:15:30 CET

testing complete on Mageia 3 x86_64:

[marc@localhost ~]$  oathtool 00
328482
[marc@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[marc@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[marc@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930969429
3
[marc@localhost ~]$ oathtool --totp 00
605502
[marc@localhost ~]$ oathtool --totp --time-step-size=45s 00
387270
[marc@localhost ~]$ oathtool --totp --time-step-size=45s 00
125716
[marc@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
184312
[marc@localhost ~]$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

looks good? Adding tag for mga3 32bit according to comment #4 as well.

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok

Comment 6 Rémi Verschelde 2014-02-25 22:35:04 CET

Validating, advisory uploaded. Please push to 3 & 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
CC: (none) => remi, sysadmin-bugs

Comment 7 Thomas Backlund 2014-02-25 23:23:48 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0101.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.