Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Apr 2013 06:45:32 -0400 (EDT)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,,
        Alexander Wirt <>
Subject: CVE-2012-XXYY Request -- google-authenticator: Information
 disclosure due insecure requirement on the secrets file

Hello Kurt, Steve, Alexander, vendors,

  as noted in [1]:

An information disclosure file was found in the way google-authenticator,
a pluggable authentication module (PAM) which allows login using one-time
passcodes conforming to the open standards developed by the Initiative for
Open Authentication (OATH), performed management of its secret / state file
in certain configurations. Due the lack of 'user=' option the secret file
was previously required to be user-readable, allowing (in certain cases)
a local attacker to obtain the (pre)shared client-to-authentication-server
secret, possibly leading to victim's account impersonation.

A different vulnerability than CVE-2013-0258.


Relevant upstream patch:

@Alexander - since I am not sure I have described the attack vector above
             properly, please correct me if / where required.

@Kurt * the CVE-2012- identifier should be allocated to this issue, since
        the security implications of this problem are for the first time
        mentioned here: (2012-09-22),

      * from what I have looked, there doesn't seem to be:

        a CVE identifier allocated to this issue yet (as noted above
        CVE-2013-0258 from that list is different issue).

        => could you allocate one?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.