{"id":"CVE-2019-12210","details":"In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.","modified":"2026-04-11T08:05:34.780557Z","published":"2019-06-04T21:29:00.827Z","related":["SUSE-SU-2019:1749-1","SUSE-SU-2019:1750-1","openSUSE-SU-2019:1708-1","openSUSE-SU-2019:1725-1","openSUSE-SU-2024:11145-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html"},{"type":"ADVISORY","url":"https://developers.yubico.com/pam-u2f/Release_Notes.html"},{"type":"FIX","url":"https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2019/06/05/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yubico/pam-u2f","events":[{"introduced":"0"},{"fixed":"18b1914e32b74ff52000f10e97067e841e5fff62"}]},{"type":"GIT","repo":"https://github.com/yubico/pam-u2f","events":[{"introduced":"0"},{"fixed":"18b1914e32b74ff52000f10e97067e841e5fff62"}]}],"versions":["pam_u2f-0.0.0","pam_u2f-0.0.1","pam_u2f-1.0.0","pam_u2f-1.0.1","pam_u2f-1.0.2","pam_u2f-1.0.3","pam_u2f-1.0.4","pam_u2f-1.0.5","pam_u2f-1.0.6","pam_u2f-1.0.7"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.0.7"}]}],"vanir_signatures":[{"digest":{"length":6210,"function_hash":"189549074423305318278192686640012163201"},"signature_version":"v1","deprecated":false,"id":"CVE-2019-12210-0d65538b","target":{"function":"pam_sm_authenticate","file":"pam-u2f.c"},"source":"https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62","signature_type":"Function"},{"digest":{"length":3409,"function_hash":"195761456827247277768293084524503281524"},"signature_version":"v1","deprecated":false,"id":"CVE-2019-12210-0f862f88","target":{"function":"parse_cfg","file":"pam-u2f.c"},"source":"https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["74159124244018100562414087706259487115","15589709676013445663821855306310005346","29261019710999320254115368692065048130","275549048693574385998821709364060424831","274669463955468417678035653616836135555"]},"signature_version":"v1","deprecated":false,"id":"CVE-2019-12210-129a38bf","target":{"file":"util.h"},"source":"https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["38566131191158280969771373829878351329","68534845635227618244165295347654299518","99034973171212203838086329539934875018","160763405766745971685432024049131087910","112550724444239380022428339715036561221","339934473024402355708867558388125765016","125337728716116508583989324253458221915","285102405833314867080639137295015870331","331289066888627500233492477902336962222","186991957858821808299167416745842984917","17394472259488424013346088083066957249","250156582766584548941376435718678118607","88149997300662303978378318817429612692","189581175661097558587089072040598489498","163128726598849826202468609236991219750","301339130870676509232612002597399266403","108587633537507210242609878158511307392","50753954185298141919795490190530182148","143445032207105796318675571078917865563","71074590716795832861286944477717596693","40621960917746443291963695129264077342","320464032398203998813638203992451131861","312870750276761457705186876906892758781","256702700309835648708959209147152331714","191877983113199356364464191681003477085","122239394949683716420596891530724293475","266013145266901934662043654012968551298","264581039759020585843312172824995915707"]},"signature_version":"v1","deprecated":false,"id":"CVE-2019-12210-c37279b6","target":{"file":"pam-u2f.c"},"source":"https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["239728184875118047816664293332223288302","39543118994044962121342886856204437775","234571186592139275582779438414895999399","258265792297141696996194338689544215295","320724708553198036580094638463132641387","280180596188658174022623772171092698523","339143390941574893358472871694190983890","25562190451719698012950476071967077253","291546800576521260612794148729163078387","324223987105197310696138322894083649087","92356891833934502546924409955693819634","201896504121250102716349267443497954662","176509127885275288976101512489957694016","332509809972710239135991249936875728053"]},"signature_version":"v1","deprecated":false,"id":"CVE-2019-12210-c5c783f3","target":{"file":"util.c"},"source":"https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62","signature_type":"Line"},{"digest":{"length":4492,"function_hash":"14975102232140488356628508058481157351"},"signature_version":"v1","deprecated":false,"id":"CVE-2019-12210-d996c8db","target":{"function":"get_devices_from_authfile","file":"util.c"},"source":"https://github.com/yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T08:05:34Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12210.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}