[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as resul
From: |
Simon Josefsson |
Subject: |
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file? |
Date: |
Wed, 12 Feb 2014 14:32:47 +0100 |
I have reviewed the patch and added a regression test now, thanks Bas
and Ilkka for information. Florian, did you get a CVE number yet? If I
get the number, I'll mention it in the NEWS file for the upcoming v2.4.1
bugfix release.
Current fix is in git:
http://git.savannah.gnu.org/cgit/oath-toolkit.git/commit/?h=oath-toolkit-2-4-x&id=a31a1eef2dac134d397f3351206206c4b2bb5bfa
/Simon
You wrote:
> On 12/02/14 02:16, Simon Josefsson wrote:
> > I think it looked fine but I haven't fully analyzed it -- any chance
> > someone could come up with a brief description of how to reproduce
> > the problem exactly? Then I could add that recipe as a self-test
> > in the package, apply the fix, and if that silences the self-test,
> > I'm happy.
> I think my first email (9 Dec 11:31 GMT) contains a fairly detailed
> description of how to reproduce this behaviour. Please let me know if
> you need additional info.
>
> Thanks,
>
> Bas