Re: [Users] [oss-security] CVE-2012-XXYY Request -- google-authenticator: Information disclosure due insecure requirement on the secrets file

Hello Kurt, Steve, Alexander, vendors, as noted in [1]: An information disclosure file was found in the way google-authenticator, a pluggable authentication module (PAM) which allows login using one-time passcodes conforming to the open standards developed by the Initiative for Open Authentication (OATH), performed management of its secret / state file in certain configurations. Due the lack of 'user=' option the secret file was previously required to be user-readable, allowing (in certain cases) a local attacker to obtain the (pre)shared client-to-authentication-server secret, possibly leading to victim's account impersonation. A different vulnerability than CVE-2013-0258. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#20 [4] https://bugzilla.redhat.com/show_bug.cgi?id=953505 Relevant upstream patch: [5] https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857... @Alexander - since I am not sure I have described the attack vector above properly, please correct me if / where required. @Kurt * the CVE-2012- identifier should be allocated to this issue, since the security implications of this problem are for the first time mentioned here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129#10 (2012-09-22), * from what I have looked, there doesn't seem to be: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=authenticator a CVE identifier allocated to this issue yet (as noted above CVE-2013-0258 from that list is different issue). => could you allocate one? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team