Bug#839278: marked as done (oathtool: has no secure way to provide a key)

[Debian Bug Tracking System]

Your message dated Wed, 30 Dec 2020 07:18:59 +0000
with message-id <E1kuVl5-000Ay7-L7@fasolo.debian.org>
and subject line Bug#839278: fixed in oath-toolkit 2.6.5-1
has caused the Debian Bug report #839278,
regarding oathtool: has no secure way to provide a key
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
839278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839278
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message --- Subject: oathtool: has no secure way to provide a key Date: Fri, 30 Sep 2016 19:44:07 -0400 User-agent: NeoMutt/20160916 (1.7.0)

Package: oathtool
Version: 2.6.1-1

According to the man page, oathtool only accepts a key as a command-line
parameter.  This is generally insecure: command lines are visible to all
system users, unless procfs isn't available or has been mounted with the
non-default "hidepid" option.

There should be a secure way to provide the key, and the man page should
encourage its use.  It could be an environment variable or configuration
file.  Accepting a key on stdin would also be OK, as long as one doesn't
first pass it to an external utility like /bin/printf or /bin/echo using
command-line parameters.

- Michael


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, mips, i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages oathtool depends on:
ii  libc6     2.24-3
ii  liboath0  2.6.1-1

oathtool recommends no packages.

oathtool suggests no packages.

-- no debconf information

signature.asc
Description: PGP signature

--- End Message ---

> --- Begin Message ---
>
>
>
> Subject: 
>
> Bug#839278: fixed in oath-toolkit 2.6.5-1
>
>
>
>
> Date: 
>
> Wed, 30 Dec 2020 07:18:59 +0000
>
>
>
>
> Source: oath-toolkit
> Source-Version: 2.6.5-1
> Done: Simon Josefsson <simon@josefsson.org>
>
> We believe that the bug you reported is fixed in the latest version of
> oath-toolkit, which is due to be installed in the Debian FTP archive.
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 839278@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Simon Josefsson <simon@josefsson.org> (supplier of updated oath-toolkit package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster@ftp-master.debian.org)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Thu, 26 Nov 2020 21:07:22 +0100
> Source: oath-toolkit
> Architecture: source
> Version: 2.6.5-1
> Distribution: unstable
> Urgency: medium
> Maintainer: OATH Toolkit Team <oath-toolkit-help@nongnu.org>
> Changed-By: Simon Josefsson <simon@josefsson.org>
> Closes: 833927 839278 971440
> Changes:
>  oath-toolkit (2.6.5-1) unstable; urgency=medium
>  .
>    * New upstream release.
>      - Closes: #839278.
>      - Closes: #971440.
>    * Include pam-oath README.  Closes: #833927.
> Checksums-Sha1:
>  35654b110a55c6ba01ba8ddc3078decd136c1857 2340 oath-toolkit_2.6.5-1.dsc
>  31eff0b9bcc4dd5f397b9abc0cf2ccdb99615c9e 5477292 oath-toolkit_2.6.5.orig.tar.gz
>  0fd281d06589a08a31799c35bc934bfa339b2e95 119 oath-toolkit_2.6.5.orig.tar.gz.asc
>  c0fbcc10e38da93d87ad5e0286ddbe521b9b0cf1 12340 
> oath-toolkit_2.6.5-1.debian.tar.xz
>  7aa94e9f98a6beea7f3312a5c387032e160251bf 10253 
> oath-toolkit_2.6.5-1_amd64.buildinfo
> Checksums-Sha256:
>  333d7d58095f682d10b50e4016a9e89e87cfbfed2c6e41d82a3c2105dd5ee1b4 2340 
> oath-toolkit_2.6.5-1.dsc
>  d207120c7e7fdd540142d04ca06d83fb3277c8f2fb794a74535d04b2aa0ec219 5477292 
> oath-toolkit_2.6.5.orig.tar.gz
>  8c302e7dca66b50deea0962c888dd1b33afce406c1ca884f1dab67faf8c2127f 119 
> oath-toolkit_2.6.5.orig.tar.gz.asc
>  20dc480c37c14637dc3f78d33cf62d2511eafe63686f7789d4f328cbf174a9ae 12340 
> oath-toolkit_2.6.5-1.debian.tar.xz
>  2f732823e95d6018172b0eb2f8374794fc7d6debece4484a9c4ef2dd7056578c 10253 
> oath-toolkit_2.6.5-1_amd64.buildinfo
> Files:
>  7d2f651ecfabd40fb98068c190258a3e 2340 devel optional oath-toolkit_2.6.5-1.dsc
>  04b9dc96de85204b9fc671e492fce443 5477292 devel optional 
> oath-toolkit_2.6.5.orig.tar.gz
>  b10be4cc67b2b854f77b30e5e9e6937b 119 devel optional 
> oath-toolkit_2.6.5.orig.tar.gz.asc
>  c1160d10ff7e12a0d11516e56883f20a 12340 devel optional 
> oath-toolkit_2.6.5-1.debian.tar.xz
>  5383a8c90bf21690297f71f7d3b35dc1 10253 devel optional 
> oath-toolkit_2.6.5-1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQFIBAEBCgAyFiEEmUFc4ZBdDlWp+IAmhgt/uzL4EZ0FAl/rbD8UHHNpbW9uQGpv
> c2Vmc3Nvbi5vcmcACgkQhgt/uzL4EZ19jwf/RYPhXjXA2q3Oie752LmlYKe5n40R
> FHoMjfLgqgeUSTtpRNyTunbGoRCX9+fVJzUAG9lVS+GEFBR5ZFwMv6oHHr/mU/Q9
> r10AEaI/JJr+mkLfysGhgn4nSngV40fwtx99SAlB1nxqQLCPFgVnl/v6Zamgu9xl
> ipTqcUT4f4BBgeH6mrnm1RNSxXcYp1Iq/v90cmBS6/lpCeD5jmX6NW7dbmAOzMVJ
> I2Bglj66qNLD5oTCwb17mgJGNcUadP6ByovwS6m+aqI7nongEVd22DgwGyOafqJi
> 1G9mnpaAxvdK8JGUvLxWNHRdnCkABPBAXoqAqqRZnS4ZTJeDCGHhWV98BA==
> =+VYU
> -----END PGP SIGNATURE-----
>
> --- End Message ---