CVE-2019-12209

Name
CVE-2019-12209
Description
Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
Release Notes https://developers.yubico.com/pam-u2f/Release_Notes.html
Mailing List http://www.openwall.com/lists/oss-security/2019/06/05/1
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:yubico:pam-u2f:1.0.7:*:*:*:*:*:*:* pam-u2f == None == 1.0.7

Vulnerable and fixed packages

Source package Branch Version Maintainer Status