--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package request-tracker4/4.4.1-3+deb9u3
- From: Dominic Hargreaves <dom@earth.li>
- Date: Sat, 26 Aug 2017 12:40:07 +0100
- Message-id: <20170826114007.31197.69503.reportbug@themisto.larted.org.uk>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
A regression was discovered in the latest security patch update for
RT which can cause incorrect UTF-8 encoded passwords to cause an
application error. This is not in itself considered a security
problem.
The attached debdiff applies a patch which has been included in the
official upstream releases including the security fixes.
Thanks for considering!
Dominic.
diff -Nru request-tracker4-4.4.1/debian/changelog request-tracker4-4.4.1/debian/changelog
--- request-tracker4-4.4.1/debian/changelog 2017-07-06 15:10:40.000000000 +0100
+++ request-tracker4-4.4.1/debian/changelog 2017-08-25 23:53:15.000000000 +0100
@@ -1,3 +1,10 @@
+request-tracker4 (4.4.1-3+deb9u3) UNRELEASED; urgency=medium
+
+ * Fix regression in previous security release where incorrect
+ SHA256 passwords could trigger an error
+
+ -- Dominic Hargreaves <dom@earth.li> Fri, 25 Aug 2017 23:50:45 +0100
+
request-tracker4 (4.4.1-3+deb9u2) stretch; urgency=medium
* Handle configuration permissions correctly following
diff -Nru request-tracker4-4.4.1/debian/.git-dpm request-tracker4-4.4.1/debian/.git-dpm
--- request-tracker4-4.4.1/debian/.git-dpm 2017-07-06 11:12:02.000000000 +0100
+++ request-tracker4-4.4.1/debian/.git-dpm 2017-08-25 23:50:44.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-e272152dd37ff075d41052fbe599fb23040bb426
-e272152dd37ff075d41052fbe599fb23040bb426
+6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb
+6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb
63ca1094b0eb53bf86eef426b17dc0080a1a1f8e
63ca1094b0eb53bf86eef426b17dc0080a1a1f8e
request-tracker4_4.4.1.orig.tar.gz
diff -Nru request-tracker4-4.4.1/debian/patches/is_password_binary.patch request-tracker4-4.4.1/debian/patches/is_password_binary.patch
--- request-tracker4-4.4.1/debian/patches/is_password_binary.patch 1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.4.1/debian/patches/is_password_binary.patch 2017-08-25 23:50:44.000000000 +0100
@@ -0,0 +1,78 @@
+From 6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb Mon Sep 17 00:00:00 2001
+From: Shawn M Moore <shawn@bestpractical.com>
+Date: Mon, 10 Jul 2017 11:48:28 -0400
+Subject: Add a "binary" option to opt out of UTF8 encoding
+
+The SHA256 branch of IsPassword generates binary values to compare,
+which may lead to comparing two strings with a different number of
+Unicode characters, even when both strings have 26 octets (since UTF8 is
+a variable-length encoding). This triggers an error in constant_time_eq
+which demands both strings are the same length.
+
+When comparing binary values pass this flag to avoid treating the
+inputs as UTF8.
+
+Patch-Name: is_password_binary.patch
+---
+ lib/RT/User.pm | 2 +-
+ lib/RT/Util.pm | 20 ++++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index 0e86d44..3ced5ce 100644
+--- a/lib/RT/User.pm
++++ b/lib/RT/User.pm
+@@ -1110,7 +1110,7 @@ sub IsPassword {
+ my $salt = substr($hash, 0, 4, "");
+ return 0 unless RT::Util::constant_time_eq(
+ substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
+- $hash
++ $hash, 1
+ );
+ } elsif (length $stored == 32) {
+ # Hex nonsalted-md5
+diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
+index 47b1dd2..1a040b9 100644
+--- a/lib/RT/Util.pm
++++ b/lib/RT/Util.pm
+@@ -166,6 +166,9 @@ The two string arguments B<MUST> be of equal length. If the lengths differ,
+ this function will call C<die()>, as proceeding with execution would create
+ a timing vulnerability. Length is defined by characters, not bytes.
+
++Strings that should be treated as binary octets rather than Unicode text
++should pass a true value for the binary flag.
++
+ This code has been tested to do what it claims. Do not change it without
+ thorough statistical timing analysis to validate the changes.
+
+@@ -177,7 +180,7 @@ B<https://en.wikipedia.org/wiki/Timing_attack>
+ =cut
+
+ sub constant_time_eq {
+- my ($a, $b) = @_;
++ my ($a, $b, $binary) = @_;
+
+ my $result = 0;
+
+@@ -191,9 +194,18 @@ sub constant_time_eq {
+ my $a_char = substr($a, $i, 1);
+ my $b_char = substr($b, $i, 1);
+
+- # encode() is set to die on malformed
+- my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+- my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++ my (@a_octets, @b_octets);
++
++ if ($binary) {
++ @a_octets = ord($a_char);
++ @b_octets = ord($b_char);
++ }
++ else {
++ # encode() is set to die on malformed
++ @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
++ @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++ }
++
+ die $generic_error if (scalar @a_octets) != (scalar @b_octets);
+
+ for (my $j = 0; $j < scalar @a_octets; $j++) {
diff -Nru request-tracker4-4.4.1/debian/patches/series request-tracker4-4.4.1/debian/patches/series
--- request-tracker4-4.4.1/debian/patches/series 2017-07-06 11:12:02.000000000 +0100
+++ request-tracker4-4.4.1/debian/patches/series 2017-08-25 23:50:44.000000000 +0100
@@ -23,3 +23,4 @@
local_site_config_includes.diff
patchset-2017-06-01.patch
patchset-2017-06-01-test-failures.patch
+is_password_binary.patch
--- End Message ---