Re: Issues regarding ruby-rack/CVE-2019-16782

I have looked into this some but I have not been able to determine how long the session ids were before the fix. Do anyone have that information?

Based on that we can rather easily determine how long time a timing attack would take. My guess is a really long time.

Best regards

// Ola

On Mon, 10 Feb 2020 at 07:31, Brian May <bam@debian.org> wrote:

Utkarsh Gupta <guptautkarsh2102@gmail.com> writes:

> Please don't yet patch CVE-2019-16782 for Buster, Stretch, Jessie, et al.
> This security update induces a regression, resulting in some issues in
> using the library.
> Also, there's a slight possibility of this patch inducing a backdoor on
> it's own.
>
> The issues have already been opened to/with the upstream and I hope
> they're looking into it.
> P.S. Shall update here when available :)

Do you have any references to the upstream issue regarding the possible
backdoor?

I see:

https://github.com/rack/rack/issues/1431
https://github.com/rack/rack/issues/1432
https://github.com/rack/rack/issues/1433

Apparently the regression is unavoidable - see
https://github.com/rack/rack/issues/1432#issuecomment-571688819

Which in turn generated controversy - is it OK to cause breakage if it
fixes a known security issue?
https://github.com/rack/rack/issues/1432#issuecomment-571701768

This might rule out being able to provide fixes for Buster and Jessie.

Oh, I see, #1431 mentions the possible backdoor; a claim that was
disputed.

It also seems like "I agree that the vulnerability is not that great and
does take substantial time to pull off." - wonder if it even worth
trying to fix this for anything other then unstable+testing.
--
Brian May <bam@debian.org>