Bug 12873 - oath-toolkit new security issue CVE-2013-7322
: oath-toolkit new security issue CVE-2013-7322
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/588030/
: MGA3TOO has_procedure mga4-64-ok mga4...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-24 22:50 CET by David Walser
Modified: 2014-02-25 23:23 CET (History)
5 users (show)

See Also:
Source RPM: oath-toolkit-2.4.0-2.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-02-24 22:50:33 CET
Fedora has issued an advisory on February 14:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128934.html

The issue is fixed upstream in 2.4.1 and a patch is available.

The patch is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1063083

Updated packages uploaded for Mageia 4 and Cauldron.

Patched package uploaded for Mageia 3.

Advisory:
========================

Updated oath-toolkit packages fix security vulnerability:

It was found that comments (lines starting with a hash) in /etc/users.oath
could prevent one-time-passwords (OTP) from being invalidated, leaving the OTP
vulnerable to replay attacks (CVE-2013-7322).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7322
http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html
http://www.nongnu.org/oath-toolkit/NEWS.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/128934.html
========================

Updated packages in core/updates_testing:
========================
oath-toolkit-1.12.6-2.1.mga3
pam_oath-1.12.6-2.1.mga3
liboath0-1.12.6-2.1.mga3
liboath-devel-1.12.6-2.1.mga3
oath-toolkit-2.4.1-1.mga4
pam_oath-2.4.1-1.mga4
liboath0-2.4.1-1.mga4
liboath-devel-2.4.1-1.mga4

from SRPMS:
oath-toolkit-1.12.6-2.1.mga3.src.rpm
oath-toolkit-2.4.1-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-02-25 09:01:32 CET
Another first time test.

Some useful info here: http://www.nongnu.org/oath-toolkit/oathtool.1.html
Comment 2 Anne Nicolas 2014-02-25 09:25:17 CET
Here is an easy howto to follow for testing.

Applied on Mageia 4 64

$  oathtool 00
328482
$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
$ oathtool -c 5 3132333435363738393031323334353637383930
254676
$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
$  oathtool --totp 00
209837
$ oathtool --totp --time-step-size=45s 00
344050
$           109841
bash: 109841 : commande introuvable
$ oathtool --totp --time-step-size=45s 00
344050
$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
354641
$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037


So seems ok here
Comment 3 Anne Nicolas 2014-02-25 09:33:11 CET
[a@localhost ~]$ oathtool 00
328482
[a@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[a@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[a@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
[a@localhost ~]$ oathtool --totp 00
499684
[a@localhost ~]$ oathtool --totp --time-step-size=45s 00
175160
[a@localhost ~]$ oathtool --totp --time-step-size=45s 00
175160
[a@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
615660
[a@localhost ~]$  oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

validated on Mageia 4 32
Comment 4 David Walser 2014-02-25 17:50:11 CET
Testing complete on Mageia 3 i586.

[david@mageia3 ~]$ oathtool 00
328482
[david@mageia3 ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[david@mageia3 ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[david@mageia3 ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429
3
[david@mageia3 ~]$ oathtool --totp 00
259145
[david@mageia3 ~]$ oathtool --totp --time-step-size=45s 00
237360
[david@mageia3 ~]$ oathtool --totp --time-step-size=45s 00
237360
[david@mageia3 ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
383294
[david@mageia3 ~]$  oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037
Comment 5 Marc Lattemann 2014-02-25 22:15:30 CET
testing complete on Mageia 3 x86_64:

[marc@localhost ~]$  oathtool 00
328482
[marc@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930
755224
287082
359152
969429
338314
254676
287922
162583
399871
520489
403154
[marc@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930
254676
[marc@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930969429
3
[marc@localhost ~]$ oathtool --totp 00
605502
[marc@localhost ~]$ oathtool --totp --time-step-size=45s 00
387270
[marc@localhost ~]$ oathtool --totp --time-step-size=45s 00
125716
[marc@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00
184312
[marc@localhost ~]$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 8
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2033-05-18 03:33:20 UTC (2000000000)
Counter: 0x3F940AA (66666666)

69279037

looks good? Adding tag for mga3 32bit according to comment #4 as well.
Comment 6 Rémi Verschelde 2014-02-25 22:35:04 CET
Validating, advisory uploaded. Please push to 3 & 4 core/updates.
Comment 7 Thomas Backlund 2014-02-25 23:23:48 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0101.html

Note You need to log in before you can comment on or make changes to this bug.