Arch Linux and Debian have issued advisories on October 4: https://lists.archlinux.org/archives/list/arch-security@lists.archlinux.org/message/IDKMOOVTHHDXCEEZ2S4VVYLM3N5QBPJA/ https://lwn.net/Articles/993124/
CVE: (none) => CVE-2024-47191Source RPM: (none) => oath-toolkit-2.6.11-1.mga10.src.rpm, oath-toolkit-2.6.7-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 2.6.12 and patch available from DebianWhiteboard: (none) => MGA9TOO
For this specific error: https://lists.debian.org/debian-security-announce/2024/msg00197.html https://security-tracker.debian.org/tracker/source-package/oath-toolkit https://security-tracker.debian.org/tracker/CVE-2024-47191 The last URL does have a list if links to patches at the end; if they are appropriate. Different packagers deal with this SRPM, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. (CVE-2024-47191) References: https://lists.archlinux.org/archives/list/arch-security@lists.archlinux.org/message/IDKMOOVTHHDXCEEZ2S4VVYLM3N5QBPJA/ https://lwn.net/Articles/993124/ ======================== Updated packages in core/updates_testing: ======================== lib(64)oath0-2.6.7-1.1.mga9 lib(64)oath-devel-2.6.7-1.1.mga9 lib(64)pskc0-2.6.7-1.1.mga9 lib(64)pskc-devel-2.6.7-1.1.mga9 oath-toolkit-2.6.7-1.1.mga9 pam_oath-2.6.7-1.1.mga9 pskctool-2.6.7-1.1.mga9 from SRPM: oath-toolkit-2.6.7-1.1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 9Whiteboard: MGA9TOO => (none)Status comment: Fixed upstream in 2.6.12 and patch available from Debian => (none)
Source RPM: oath-toolkit-2.6.11-1.mga10.src.rpm, oath-toolkit-2.6.7-1.mga9.src.rpm => oath-toolkit-2.6.7-1.mga9.src.rpm
Keywords: (none) => advisory
MGA9-64 Plasma in VirtualBox. The following 6 packages are going to be installed: - lib64oath0-2.6.7-1.1.mga9.x86_64 - lib64pskc0-2.6.7-1.1.mga9.x86_64 - lib64xmlsec1-openssl1-1.2.37-1.1.mga9.x86_64 - oath-toolkit-2.6.7-1.1.mga9.x86_64 - pam_oath-2.6.7-1.1.mga9.x86_64 - pskctool-2.6.7-1.1.mga9.x86_64 No installation issues. Only one previous update, from my early days with QA, when I had no clue about what I was doing as we supported both Mageia 3 and Mageia 4. Using procedure from bug 12873 comment 2 (Thank you, Anne Nicolas!): [tom@localhost ~]$ oathtool 00 328482 [tom@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930 755224 287082 359152 969429 338314 254676 287922 162583 399871 520489 403154 [tom@localhost ~]$ oathtool -c 5 3132333435363738393031323334353637383930 254676 [tom@localhost ~]$ oathtool -w 10 3132333435363738393031323334353637383930 969429 3 [tom@localhost ~]$ oathtool --totp 00 934935 [tom@localhost ~]$ oathtool --totp --time-step-size=45s 00 661877 [tom@localhost ~]$ oathtool --totp --time-step-size=45s 00 952231 [tom@localhost ~]$ oathtool --totp --start-time "1980-01-01 00:00:00 UTC" 00 130483 [tom@localhost ~]$ oathtool --totp -v -N "2033-05-18 03:33:20 UTC" -d8 3132333435363738393031323334353637383930 Hex secret: 3132333435363738393031323334353637383930 Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ Digits: 8 Window size: 0 TOTP mode: SHA1 Step size (seconds): 30 Start time: 1970-01-01 00:00:00 UTC (0) Current time: 2033-05-18 03:33:20 UTC (2000000000) Counter: 0x3F940AA (66666666) 69279037 Result is consistent with the previous bug.
CC: (none) => andrewsfarm
Validating.
Whiteboard: (none) => MGA9-64-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0335.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED