[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as resul
|
From: |
Simon Josefsson |
|
Subject: |
Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file? |
|
Date: |
Wed, 12 Feb 2014 03:16:55 +0100 |
You wrote:
> * Ilkka Virta:
>
> > On 16.12.2013 22:43, Simon Josefsson wrote:
> >> Thanks for the report and looking into this issue. Alas the timing
> >> here was bad, and I am just returning from vacation and must finish
> >> several things before season holidays -- if someone has worked out
> >> a patch and can do testing that it works and solves the problem I
> >> can review and apply and release it. Ilkka, how much have you
> >> tested your patch?
> >
> > That one was more like a rough sketch... (iow, I didn't)
> >
> > The attached one seems to work for me:
>
> Simon, is this the proper fix? Should we apply it to the Debian
> version? Thanks.
I think it looked fine but I haven't fully analyzed it -- any chance
someone could come up with a brief description of how to reproduce the
problem exactly? Then I could add that recipe as a self-test in the
package, apply the fix, and if that silences the self-test, I'm happy.
> Considering that this was reported on a public mailing list
> (oath-toolkit-help), I'll request a CVE on oss-security.
Thank you.
/Simon