This is a security bugfix for the 2.4.x branch, see below for details. I have had health issues since late last year -- see http://blog.josefsson.org/ -- but I hope to return to reviewing Fabian's OCRA patches so we can finally get them released.
Happy hacking, Simon ** liboath: Fix usersfile bug that caused it to update the wrong line. When an usersfile contain multiple lines for the same user but with an unparseable token type (e.g., HOTP vs TOTP), the code would update the wrong line of the file. Since the then updated line could be a commented out line, this can lead to the same OTP being accepted multiple times which is a security vulnerability. Reported by Bas van Schaik <[email protected]> and patch provided by Ilkka Virta <[email protected]>. CVE-2013-7322 The OATH Toolkit makes it easy to build one-time password authentication systems. It contains shared libraries, command line tools and a PAM module. Supported technologies include the event-based HOTP algorithm (RFC4226) and the time-based TOTP algorithm (RFC6238). OATH stands for Open AuTHentication, which is the organization that specify the algorithms. For managing secret key files, the Portable Symmetric Key Container (PSKC) format described in RFC6030 is supported. The components included in the package is: * liboath: A shared and static C library for OATH handling. * oathtool: A command line tool for generating and validating OTPs. * pam_oath: A PAM module for pluggable login authentication for OATH. * libpskc: A shared and static C library for PSKC handling. * pskctool: A command line tool for manipulating PSKC data. The project's web page is available at: http://www.nongnu.org/oath-toolkit/ Documentation for the command line tools oathtool and pskctool: http://www.nongnu.org/oath-toolkit/oathtool.1.html http://www.nongnu.org/oath-toolkit/pskctool.1.html http://www.nongnu.org/oath-toolkit/libpskc-api/pskc-tutorial-pskctool.html Manual for PAM module: http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pam_oath/README Liboath manual: http://www.nongnu.org/oath-toolkit/liboath-api/liboath-oath.html Libpskc Tutorial & Manual http://www.nongnu.org/oath-toolkit/libpskc-api/pskc-tutorial-quickstart.html http://www.nongnu.org/oath-toolkit/libpskc-api/pskc-reference.html If you need help to use the OATH Toolkit, or want to help others, you are invited to join our oath-toolkit-help mailing list, see: https://lists.nongnu.org/mailman/listinfo/oath-toolkit-help Here are the compressed sources of the entire package: http://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz (4.0MB) http://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz.sig (OpenPGP) The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2014-05-11] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson <[email protected]> uid Simon Josefsson <[email protected]> sub 2048R/105E722E 2012-03-13 [expires: 2014-02-17] sub 2048R/728AB82C 2012-03-13 [expires: 2014-02-17] sub 2048R/9394F626 2012-03-13 [expires: 2014-02-17] sub 1280R/4D5D40AE 2002-05-05 [expires: 2014-05-11] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: b0ca4c5f89c12c550f7227123c2f21f45b2bf969 oath-toolkit-2.4.1.tar.gz c88309c3c24772c9f0405af95880947826f9e5d3862aa3d7eaa51f4f oath-toolkit-2.4.1.tar.gz General information on contributing: http://www.nongnu.org/oath-toolkit/contrib.html Savannah developer's home page: https://savannah.nongnu.org/projects/oath-toolkit/ Code coverage charts: http://www.nongnu.org/oath-toolkit/coverage/ Clang code analysis: http://www.nongnu.org/oath-toolkit/clang-analyzer/ Daily snapshots: http://daily.josefsson.org/oath-toolkit/ Autobuild statistics: http://autobuild.josefsson.org/oath-toolkit/
signature.asc
Description: PGP signature
