Bug 1063083 (CVE-2013-7322)

Summary: CVE-2013-7322 oath-toolkit: certain one-time-passwords not invalidated correctly
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dwmw2, jskarvad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:31:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1063084, 1063085    
Bug Blocks:    

Description Murray McAllister 2014-02-09 23:55:51 UTC 
It was found that comments (lines starting with a hash) in /etc/users.oath could prevent one-time-passwords (OTP) from being invalidated, leaving the OTP vulnerable to replay attacks. Further information is available in the mailing list post:

http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html

Possible patch:

http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/txtUm85v7Wqcy.txt
Comment 1 Murray McAllister 2014-02-09 23:59:31 UTC 
Possible CVE request: http://seclists.org/oss-sec/2014/q1/279
Comment 2 Murray McAllister 2014-02-10 00:00:50 UTC 
Created oath-toolkit tracking bugs for this issue:

Affects: fedora-all [bug 1063084]
Affects: epel-6 [bug 1063085]
Comment 3 Murray McAllister 2014-02-10 05:56:15 UTC 
This issue was assigned CVE-2013-7322: http://seclists.org/oss-sec/2014/q1/296
Comment 4 Fedora Update System 2014-02-22 18:12:29 UTC 
oath-toolkit-2.4.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-04-15 15:58:25 UTC 
oath-toolkit-2.4.1-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-10-22 18:49:27 UTC 
oath-toolkit-2.0.2-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Product Security DevOps Team 2019-06-08 02:31:26 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.