Hi Brian, On 11/10/19 5:02 pm, Utkarsh Gupta wrote: > On 10/10/19 11:23 am, Brian May wrote: >> Utkarsh Gupta <guptautkarsh2102@gmail.com> writes: >> >>> Just a quick question about this patch since I haven't really tested >>> this at all (however aware of the CVE), >>> Is checking signature before sending a request to openid.claimed_id URL >>> strict enough? >> Yes, that is my understanding. If the signature is checked, that makes >> it impossible for a third party to change the claimed_id URL, rendering >> the attack impossible. >> >> I don't claim to be an expert on this however. > I had a few pointers, but since this is already uploaded, I'll raise > this in upstream first and then get back if needed. > Thank you for taking care of this. The patch that was taken from one of the PRs[1] to fix CVE-2019-11027 didn't seem to fix the CVE completely. That said, I raised this upstream and sent a one-liner patch[2] that was merged (which should actually fix the CVE!). This is also released as v2.9.2 (kinda happy about it) :) However, the previous PR (#121) leads to an issue[3] that hasn't been quite fixed; making the library kinda unusable (at least the login part of it). I am not quite sure about what should we do here because the update (DLA 1956-1) doesn't quite fix the CVE completely and also brings some login problems as reported in #125. Because for now, #121 + #126 = actual CVE fix. But the login problem remains. Any pointers? Best, Utkarsh --- [1]: https://github.com/openid/ruby-openid/pull/121 [2]: https://github.com/openid/ruby-openid/pull/126 [3]: https://github.com/openid/ruby-openid/issues/125
Attachment:
signature.asc
Description: OpenPGP digital signature