CVE-2019-12210

NameCVE-2019-12210
DescriptionIn Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs930023

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pam-u2f (PTS)stretch1.0.4-2vulnerable
buster1.0.7-1+deb10u1fixed
bullseye, sid1.1.0-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pam-u2fsourcebuster1.0.7-1+deb10u1
pam-u2fsource(unstable)1.0.8-1low930023

Notes

[stretch] - pam-u2f <no-dsa> (Minor issue)
https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
https://www.openwall.com/lists/oss-security/2019/06/05/1

Search for package or bug name: Reporting problems