Candidate: CVE-2019-12210
PublicDate: 2019-06-04 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12210
 https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
 https://www.openwall.com/lists/oss-security/2019/06/05/1
 https://developers.yubico.com/pam-u2f/Release_Notes.html
Description:
 In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log
 file is set using debug_file, that file descriptor is not closed when a new
 process is spawned. This leads to the file descriptor being inherited into
 the child process; the child process can then read from and write to it.
 This can leak sensitive information and also, if written to, be used to
 fill the disk or plant misinformation.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930023
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N [8.1 HIGH]


Patches_pam-u2f:
upstream_pam-u2f: needs-triage
precise/esm_pam-u2f: DNE
trusty_pam-u2f: ignored (out of standard support)
trusty/esm_pam-u2f: DNE
xenial_pam-u2f: ignored (end of standard support, was needed)
bionic_pam-u2f: needed
cosmic_pam-u2f: ignored (reached end-of-life)
disco_pam-u2f: ignored (reached end-of-life)
eoan_pam-u2f: not-affected (1.0.8-1)
focal_pam-u2f: not-affected (1.0.8-1)
groovy_pam-u2f: not-affected (1.0.8-1)
hirsute_pam-u2f: not-affected (1.0.8-1)
impish_pam-u2f: not-affected (1.0.8-1)
jammy_pam-u2f: not-affected (1.0.8-1)
devel_pam-u2f: not-affected (1.0.8-1)