[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as resul
From: |
Florian Weimer |
Subject: |
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file? |
Date: |
Fri, 07 Feb 2014 17:07:19 +0100 |
* Ilkka Virta:
> On 16.12.2013 22:43, Simon Josefsson wrote:
>> Thanks for the report and looking into this issue. Alas the timing
>> here was bad, and I am just returning from vacation and must finish
>> several things before season holidays -- if someone has worked out a
>> patch and can do testing that it works and solves the problem I can
>> review and apply and release it. Ilkka, how much have you tested your
>> patch?
>
> That one was more like a rough sketch... (iow, I didn't)
>
> The attached one seems to work for me:
Simon, is this the proper fix? Should we apply it to the Debian
version? Thanks.
Considering that this was reported on a public mailing list
(oath-toolkit-help), I'll request a CVE on oss-security.
- Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file?,
Florian Weimer <=