OATH Toolkit 2.6.12

[Simon Josefsson]

This is to announce oath-toolkit-2.6.12, a stable release.

OATH Toolkit provide components to build one-time password
authentication systems.  It contains shared C libraries, command line
tools and a PAM module.  Supported technologies include the event-based
HOTP algorithm (RFC 4226), the time-based TOTP algorithm (RFC 6238), and
Portable Symmetric Key Container (PSKC, RFC 6030) to manage secret key
data.  OATH stands for Open AuTHentication, which is the organization
that specify the algorithms.

The following components are included:

 * liboath: A shared and static C library for OATH handling.
 * oathtool: A command line tool for generating and validating OTPs.
 * pam_oath: A PAM module for pluggable login authentication for OATH.
 * libpskc: A shared and static C library for PSKC handling.
 * pskctool: A command line tool for manipulating PSKC data.

The project's web page is available at:
  https://www.nongnu.org/oath-toolkit/

Documentation for the command line tools oathtool and pskctool:
  https://www.nongnu.org/oath-toolkit/oathtool.1.html
  https://www.nongnu.org/oath-toolkit/pskctool.1.html

Tutorial on PSKC:
  https://www.nongnu.org/oath-toolkit/libpskc-api/pskc-tutorial.html

Manual for PAM module:
  https://www.nongnu.org/oath-toolkit/pam_oath.html

Liboath Manual:
  https://www.nongnu.org/oath-toolkit/liboath-api/liboath-oath.h.html

Libpskc Manual
  https://www.nongnu.org/oath-toolkit/libpskc-api/pskc-reference.html

General information on contributing:
  https://www.nongnu.org/oath-toolkit/contrib.html

OATH Toolkit GitLab project page:
  https://gitlab.com/oath-toolkit/oath-toolkit

OATH Toolkit Savannah project page:
  https://savannah.nongnu.org/projects/oath-toolkit/

Code coverage charts:
  https://oath-toolkit.gitlab.io/oath-toolkit/coverage/

Clang code analysis:
  https://oath-toolkit.gitlab.io/oath-toolkit/clang-analyzer/

Coverity report:
  https://scan.coverity.com/projects/oath-toolkit

If you need help to use the OATH Toolkit, or want to help others, you
are invited to join our oath-toolkit-help mailing list, see:
  https://lists.nongnu.org/mailman/listinfo/oath-toolkit-help

Here are the compressed sources and a GPG detached signature:
  
https://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6.12.tar.gz
  
https://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6.12.tar.gz.sig

Here is a signed git-archive style minimal source code archive:
  
https://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6.12-src.tar.gz
  
https://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6.12-src.tar.gz.sig

Here are the SHA1 and SHA256 checksums:

0bfb6ad29d59628487c9e180c7a43f4ca301e4d1  oath-toolkit-2.6.12.tar.gz
cafdf739b1ec4b276441c6aedae6411434bbd870071f66154b909cc6e2d9e8ba  
oath-toolkit-2.6.12.tar.gz

0a652af2c638789f99a030097fc718e3cb09615b  oath-toolkit-2.6.12-src.tar.gz
7c6a3c9043941bc3f1b37bd50a6cb8d508c1e42bff631292f938e08a377a36ff  
oath-toolkit-2.6.12-src.tar.gz

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify oath-toolkit-2.6.12.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   ed25519 2019-03-20 [SC]
        B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE
  uid   Simon Josefsson <simon@josefsson.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key simon@josefsson.org

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- https://josefsson.org/key-20190320.txt | gpg --import

NEWS

* Version 2.6.12 (released 2024-10-03)

** pam_oath: Drop privs when ${HOME} is used in the usersfile= setting.
Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191.
See <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43>.
Security bug triggered by new feature in pam_oath v2.6.7 released on
2021-05-01 with the USER/HOME placeholder strings, see
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12>.

Quoting a writeup in an alternate patch by Matthias Gerstner (SUSE):
With the addition of the possibility to place a usersfile also into a
user's home directory via variable expansion of ${HOME} and ${USER} in
the `usersfile=` path specification, security issues sneaked in.  The
PAM process usually runs with root privileges.  The file operations in
an unprivileged user's home directory follow symlinks both when
reading and creating files, allowing for a potential local root
exploit, because of the `fchown()` performed on the newly created
usersfile.

We drop privileges to the user that is being logged into, assuming it
has the necessary permissions for the usersfile belonging in their
home directory.  This restricts the ability for non-root users to
affect files beyond their control via liboath.

** liboath: Don't follow symbolic links for usersfile updates.
Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191.
See <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43>.
Security bug triggered by new feature in pam_oath v2.6.7 released on
2021-05-01 with the USER/HOME placeholder strings, see
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12>.

The fix is to open files for writing in exclusive mode (i.e., fail if
the file exists including if it is a symbolic link).

We offer a brief self-test to reproduce the problem in
liboath/tests/tst_fopen-wx.c which you may use as follows:

cc -o tst_fopen-wx tst_fopen-wx.c $(pkg-config --libs --cflags liboath)
rm -f cve.oath cve.oath.new cve.sshd-config cve.oath.lock
printf 
'HOTP/E/8\tsilver\t4711\t3132333435363738393031323334353637383930313233343536373839303132\n'
 > cve.oath
echo my-magic-cookie > cve.sshd-config
ln -s cve.sshd-config cve.oath.new
./tst_fopen-wx cve.oath silver 670691 4711

If this is linked with a vulnerable liboath it will print:

FAIL: Liboath VULNERABLE to fopen(wx) bug.

If you link it to a fixed liboath it will print:

PASS: Your liboath is NOT VULNERABLE to fopen(wx) bug.

For convenience, the liboath/tests/tst_fopen-wx.sh script can be used
to setup and invoke tst_fopen-wx.

** We publish a minimal source-only tarball generated by 'git archive'.
This tarball only contains the files stored in version controlled
sources, and no auxilliary files.  The source-only tarball may be
reproduced on a Trisquel 11 platform using Git at (or near) version
2.46 from Guix.  If something results in the 'git archive' format
changing again, the tarball can only be reproduced using an earlier
system.  The git version in AlmaLinux 8, AlmaLinux 9, RockyLinux 8 and
RockyLinux 9 should all produce the same identical 'git archive'
tarball.  The git version used on Debian 11, PureOS 10, Trisquel 11
and Ubuntu 22.04 should all produce an identical tarball.  These two
'git archive' outputs are not the same, due to how Git works.

** oathtool: Fix test suite on 32-bit big-endian platforms.  Fixes: #44.
Patch by Helge Deller and thanks to Jan Zerebecki.  See
<https://lists.nongnu.org/archive/html/oath-toolkit-help/2024-04/msg00000.html>
and <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/44>.

** libpskc: Don't call deprecated xmlMemoryDump.

** libpskc: fix implicit declaration with musl.
See <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/39>.

** libpskc: Fix linker warning when linked with mold.
Thanks to Jan Palus, see
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/30> and
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/36> for
regression testing.

** Various build fixes including updated gnulib files.
Fixes Windows tzset build errors, among other things.

Happy hacking,
Simon

signature.asc
Description: PGP signature