[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

Hi Brian,

On 11/10/19 5:02 pm, Utkarsh Gupta wrote:
> On 10/10/19 11:23 am, Brian May wrote:
>> Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:
>>> Just a quick question about this patch since I haven't really tested
>>> this at all (however aware of the CVE),
>>> Is checking signature before sending a request to openid.claimed_id URL
>>> strict enough?
>> Yes, that is my understanding. If the signature is checked, that makes
>> it impossible for a third party to change the claimed_id URL, rendering
>> the attack impossible.
>> I don't claim to be an expert on this however.
> I had a few pointers, but since this is already uploaded, I'll raise
> this in upstream first and then get back if needed.
> Thank you for taking care of this.

The patch that was taken from one of the PRs[1] to fix CVE-2019-11027
didn't seem to fix the CVE completely.
That said, I raised this upstream and sent a one-liner patch[2] that was
merged (which should actually fix the CVE!).
This is also released as v2.9.2 (kinda happy about it) :)

However, the previous PR (#121) leads to an issue[3] that hasn't been
quite fixed; making the library kinda unusable (at least the login part
of it).

I am not quite sure about what should we do here because the update (DLA
1956-1) doesn't quite fix the CVE completely and also brings some login
problems as reported in #125.
Because for now, #121 + #126 = actual CVE fix. But the login problem

Any pointers?

[1]: https://github.com/openid/ruby-openid/pull/121
[2]: https://github.com/openid/ruby-openid/pull/126
[3]: https://github.com/openid/ruby-openid/issues/125

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: