Package: pass-otp
Version: 1.2.0-9
Severity: normal
Tags: security patch
Forwarded: https://github.com/tadfisher/pass-otp/issues/167
https://github.com/tadfisher/pass-otp/pulls/182
X-Debbugs-Cc: Debian Security Team
Since upstream seems to be undermaintained, could you add the attached
patches to the Debian package for slightly more oathtool safety?
The first one uses bash arrays to separate command-line arguments,
instead of fragile shell string splitting.
The second one passes OTP secrets to oathtool on stdin instead
of command-line arguments, when it is new enough to support that.
These have been backported from my pull request linked above
and resolve the upstream bug report linked above.
--
bye,
pabs
https://wiki.debian.org/PaulWise
From 41c60cb5a128da006a8b474b58550a95aa4b33a8 Mon Sep 17 00:00:00 2001
From: Paul Wise
Date: Fri, 12 May 2023 13:39:53 +0800
Subject: [PATCH 1/2] Use bash arrays to separate arguments to oathtool and
otptool
Also use long version of oathtool -b/--base32 option.
---
otp.bash | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/otp.bash b/otp.bash
index d4c7756..7702c07 100755
--- a/otp.bash
+++ b/otp.bash
@@ -334,18 +334,19 @@ cmd_otp_code() {
local cmd
case "$otp_type" in
totp)
- cmd="$OATH -b --totp"
- [[ -n "$otp_algorithm" ]] && cmd+=$(echo "=${otp_algorithm}"|tr "[:upper:]" "[:lower:]")
- [[ -n "$otp_period" ]] && cmd+=" --time-step-size=$otp_period"s
- [[ -n "$otp_digits" ]] && cmd+=" --digits=$otp_digits"
- cmd+=" $otp_secret"
+ cmd=("$OATH" --base32)
+ [[ -z "$otp_algorithm" ]] && cmd+=(--totp)
+ [[ -n "$otp_algorithm" ]] && cmd+=(--totp="$(echo "${otp_algorithm}"|tr "[:upper:]" "[:lower:]")")
+ [[ -n "$otp_period" ]] && cmd+=(--time-step-size="$otp_period"s)
+ [[ -n "$otp_digits" ]] && cmd+=(--digits="$otp_digits")
+ cmd+=("$otp_secret")
;;
hotp)
local counter=$((otp_counter+1))
- cmd="$OATH -b --hotp --counter=$counter"
- [[ -n "$otp_digits" ]] && cmd+=" --digits=$otp_digits"
- cmd+=" $otp_secret"
+ cmd=("$OATH" --base32 --hotp --counter="$counter")
+ [[ -n "$otp_digits" ]] && cmd+=(--digits="$otp_digits")
+ cmd+=("$otp_secret")
;;
*)
@@ -353,7 +354,7 @@ cmd_otp_code() {
;;
esac
- local out; out=$($cmd) || die "$path: failed to generate OTP code."
+ local out; out=$("${cmd[@]}") || die "$path: failed to generate OTP code."
if [[ "$otp_type" == "hotp" ]]; then
# Increment HOTP counter in-place
--
2.43.0
From cff06cc3abf97665e5997a41c0aab26808ad3ad8 Mon Sep 17 00:00:00 2001
From: Paul Wise
Date: Fri, 12 May 2023 14:14:04 +0800
Subject: [PATCH 2/2] Send secrets to oathtool via stdin instead of
command-line arguments
Check if the oathtool version supports this first.
Fixes: https://github.com/tadfisher/pass-otp/issues/167
---
otp.bash | 25 ++---
1 file changed, 22 insertions(+), 3 deletions(-)
diff --git a/otp.bash b/otp.bash
index 7702c07..86344aa 100755
--- a/otp.bash
+++ b/otp.bash
@@ -331,6 +331,12 @@ cmd_otp_code() {
fi
done < <(echo "$contents")
+ # Check oathtool for stdin secrets feature
+ OATH_SAFE_VERSION=2.6.5
+ OATH_VERSION=$("$OATH" --version | head -n1 | tr ' ' '\n' | tail -n1)
+ printf -v OATH_VERSIONS '%s\n%s' "$OATH_SAFE_VERSION" "$OATH_VERSION"
+ [[ "$OATH_VERSIONS" = "$(sort -n <<< "$OATH_VERSIONS")" ]] && OATH_SAFE=1
+
local cmd
case "$otp_type" in
totp)
@@ -339,14 +345,22 @@ cmd_otp_code() {
[[ -n "$otp_algorithm" ]] && cmd+=(--totp="$(echo "${otp_algorithm}"|tr "[:upper:]" "[:lower:]")")
[[ -n "$otp_period" ]] && cmd+=(--time-step-size="$otp_period"s)
[[ -n "$otp_digits" ]] && cmd+=(--digits="$otp_digits")
- cmd+=("$otp_secret")
+ if [[ -n "$OATH_SAFE" ]] ; then
+cmd+=(-) # secrets on stdin
+ else
+cmd+=("$otp_secret")
+ fi
;;
hotp)
local counter=$((otp_counter+1))
cmd=("$OATH" --base32 --hotp --counter="$counter")
[[ -n "$otp_digits" ]] && cmd+=(--digits="$otp_digits")
- cmd+=("$otp_secret")
+ if [[ -n "$OATH_SAFE" ]] ; then
+cmd+=(-) # secrets on stdin
+ else
+cmd+=("$otp_secret")
+ fi
;;
*)
@@ -354,7 +368,12 @@ cmd_otp_code() {
;;
esac
- local out; out=$("${cmd[@]}") || die "$path: failed to generate OTP code."
+ local out
+ if [[ -n "$OATH" && -n "$OATH_SAFE" ]] ; then
+out=$("${cmd[@]}" <<< "$otp_secret") || die "$path: failed to generate OTP code."
+ else
+out=$("${cmd[@]}") || die "$path: failed to generate OTP code."
+ fi
if [[ "$otp_type" == "hotp" ]]; then
# Increment HOTP counter in-place
--
2.43.0
signature.asc
Description: This is a digitally signed message part