CVE-2019-12210
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-12210
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12210.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-12210
- Downstream
- Related
- Published
- 2019-06-04T21:29:00Z
- Modified
- 2025-09-19T10:22:16.176809Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.
- References
-
- http://www.openwall.com/lists/oss-security/2019/06/05/1
- https://developers.yubico.com/pam-u2f/Release_Notes.html
- https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
Affected packages
Git / github.com/yubico/pam-u2f
Affected ranges
- Type
- GIT
- Repo
- https://github.com/yubico/pam-u2f
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
pam_u2f-0.*
pam_u2f-0.0.0
pam_u2f-0.0.1
pam_u2f-1.*
pam_u2f-1.0.0
pam_u2f-1.0.1
pam_u2f-1.0.2
pam_u2f-1.0.3
pam_u2f-1.0.4
pam_u2f-1.0.5
pam_u2f-1.0.6
pam_u2f-1.0.7
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "pam-u2f.c",
"function": "pam_sm_authenticate"
},
"source": "https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62",
"digest": {
"length": 6210.0,
"function_hash": "189549074423305318278192686640012163201"
},
"signature_type": "Function",
"id": "CVE-2019-12210-0d65538b"
},
{
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "pam-u2f.c",
"function": "parse_cfg"
},
"source": "https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62",
"digest": {
"length": 3409.0,
"function_hash": "195761456827247277768293084524503281524"
},
"signature_type": "Function",
"id": "CVE-2019-12210-0f862f88"
},
{
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "util.h"
},
"source": "https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62",
"digest": {
"line_hashes": [
"74159124244018100562414087706259487115",
"15589709676013445663821855306310005346",
"29261019710999320254115368692065048130",
"275549048693574385998821709364060424831",
"274669463955468417678035653616836135555"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2019-12210-129a38bf"
},
{
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "pam-u2f.c"
},
"source": "https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62",
"digest": {
"line_hashes": [
"38566131191158280969771373829878351329",
"68534845635227618244165295347654299518",
"99034973171212203838086329539934875018",
"160763405766745971685432024049131087910",
"112550724444239380022428339715036561221",
"339934473024402355708867558388125765016",
"125337728716116508583989324253458221915",
"285102405833314867080639137295015870331",
"331289066888627500233492477902336962222",
"186991957858821808299167416745842984917",
"17394472259488424013346088083066957249",
"250156582766584548941376435718678118607",
"88149997300662303978378318817429612692",
"189581175661097558587089072040598489498",
"163128726598849826202468609236991219750",
"301339130870676509232612002597399266403",
"108587633537507210242609878158511307392",
"50753954185298141919795490190530182148",
"143445032207105796318675571078917865563",
"71074590716795832861286944477717596693",
"40621960917746443291963695129264077342",
"320464032398203998813638203992451131861",
"312870750276761457705186876906892758781",
"256702700309835648708959209147152331714",
"191877983113199356364464191681003477085",
"122239394949683716420596891530724293475",
"266013145266901934662043654012968551298",
"264581039759020585843312172824995915707"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2019-12210-c37279b6"
},
{
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "util.c"
},
"source": "https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62",
"digest": {
"line_hashes": [
"239728184875118047816664293332223288302",
"39543118994044962121342886856204437775",
"234571186592139275582779438414895999399",
"258265792297141696996194338689544215295",
"320724708553198036580094638463132641387",
"280180596188658174022623772171092698523",
"339143390941574893358472871694190983890",
"25562190451719698012950476071967077253",
"291546800576521260612794148729163078387",
"324223987105197310696138322894083649087",
"92356891833934502546924409955693819634",
"201896504121250102716349267443497954662",
"176509127885275288976101512489957694016",
"332509809972710239135991249936875728053"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2019-12210-c5c783f3"
},
{
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "util.c",
"function": "get_devices_from_authfile"
},
"source": "https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62",
"digest": {
"length": 4492.0,
"function_hash": "14975102232140488356628508058481157351"
},
"signature_type": "Function",
"id": "CVE-2019-12210-d996c8db"
}
]
}