[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#995482: marked as done (buster-pu: package request-tracker4/4.4.3-2+deb10u1)

Your message dated Sat, 09 Oct 2021 12:11:43 +0100
with message-id <896b7609401ceb0e1c537222e26587ea2351415d.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in the 10.11 point release
has caused the Debian Bug report #995482,
regarding buster-pu: package request-tracker4/4.4.3-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
995482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995482
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-request-tracker-maintainers@lists.alioth.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Hi, we'd like to update request-tracker4 in buster to fix #995175 /
CVE-2021-38562, a timing sidechannel issue that allows user enumeration.

The security team (Salvatore) has deemed this a minor no-dsa
issue that would best be fixed via a point release. It's fixed in
unstable with version 4.4.4+dfsg-3, and bullseye is being fixed with
4.4.4+dfsg-2+deb11u1 in stable-NEW.

The upstream fix is small and isolated. I've verified that it fixes the
timing issue (which is clearly visible in the version in buster.)

I'm assuming this is uncontroversial and have already uploaded. Source
debdiff attached.  Sorry about the small debian/.git-dpm noise caused
by our tooling, but I figured that getting rid of it would be more
invasive than leaving it in.

Thanks for your work,
--
Niko Tyni   ntyni@debian.org

diff -Nru request-tracker4-4.4.3/debian/changelog request-tracker4-4.4.3/debian/changelog
--- request-tracker4-4.4.3/debian/changelog	2019-02-08 19:50:03.000000000 +0200
+++ request-tracker4-4.4.3/debian/changelog	2021-09-29 14:41:47.000000000 +0300
@@ -1,3 +1,11 @@
+request-tracker4 (4.4.3-2+deb10u1) buster; urgency=medium
+
+  * Apply upstream patch which fixes a security vulnerability that involves a
+    login timing side-channel attack. This resolves CVE-2021-38562
+    (Closes: #995175)
+
+ -- Andrew Ruthven <andrew@etc.gen.nz>  Thu, 30 Sep 2021 00:41:47 +1300
+
 request-tracker4 (4.4.3-2) unstable; urgency=high
 
   * Add missing dependencies on libcpanel-json-xs-perl (Closes: #920744)
diff -Nru request-tracker4-4.4.3/debian/.git-dpm request-tracker4-4.4.3/debian/.git-dpm
--- request-tracker4-4.4.3/debian/.git-dpm	2018-09-18 19:13:22.000000000 +0300
+++ request-tracker4-4.4.3/debian/.git-dpm	2021-09-29 14:41:47.000000000 +0300
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-20766b8eaa377b556aaaded81576c43058a0586e
-20766b8eaa377b556aaaded81576c43058a0586e
+78711c71d36915750d34634b48fbd9ba5a98f18e
+78711c71d36915750d34634b48fbd9ba5a98f18e
 cae4666079f25496de9f49e7c61583bf3b616946
 cae4666079f25496de9f49e7c61583bf3b616946
 request-tracker4_4.4.3.orig.tar.gz
diff -Nru request-tracker4-4.4.3/debian/patches/series request-tracker4-4.4.3/debian/patches/series
--- request-tracker4-4.4.3/debian/patches/series	2018-09-18 19:13:22.000000000 +0300
+++ request-tracker4-4.4.3/debian/patches/series	2021-09-29 14:41:47.000000000 +0300
@@ -17,3 +17,4 @@
 test_gnupg-interface_gpg1.diff
 runtime_gpg1.diff
 use_cpanel_json_xs.diff
+upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
diff -Nru request-tracker4-4.4.3/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff request-tracker4-4.4.3/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
--- request-tracker4-4.4.3/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff	1970-01-01 02:00:00.000000000 +0200
+++ request-tracker4-4.4.3/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff	2021-09-29 14:41:47.000000000 +0300
@@ -0,0 +1,66 @@
+From 78711c71d36915750d34634b48fbd9ba5a98f18e Mon Sep 17 00:00:00 2001
+From: Dianne Skoll <dianne@bestpractical.com>
+Date: Fri, 15 Jan 2021 09:15:20 -0500
+Subject: Always check password to avoid timing side channel attacks on
+
+ login page
+
+This addresses CVE-2021-38562.
+
+Bug-Debian: https://bugs.debian.org/995175
+Forwarded: not-needed
+Patch-Name: upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
+---
+ lib/RT/Interface/Web.pm | 8 ++++++++
+ lib/RT/User.pm          | 9 ++++++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
+index c897a7dc..9c1a1474 100644
+--- a/lib/RT/Interface/Web.pm
++++ b/lib/RT/Interface/Web.pm
+@@ -824,10 +824,18 @@ sub AttemptPasswordAuthentication {
+     my $user_obj = RT::CurrentUser->new();
+     $user_obj->Load( $ARGS->{user} );
+ 
++    # Load the RT system user as well to avoid timing side channel
++    my $system_user = RT::CurrentUser->new();
++    $system_user->Load(1);    # User with ID 1 should always exist!
++
+     my $m = $HTML::Mason::Commands::m;
+ 
+     my $remote_addr = RequestENV('REMOTE_ADDR');
+     unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
++        if (!$user_obj->id) {
++            # Avoid timing side channel... always run IsPassword
++            $system_user->IsPassword( $ARGS->{pass} );
++        }
+         $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $remote_addr");
+         $m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' );
+         return (0, HTML::Mason::Commands::loc('Your username or password is incorrect'));
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index ca47377c..8f057733 100644
+--- a/lib/RT/User.pm
++++ b/lib/RT/User.pm
+@@ -1086,15 +1086,18 @@ sub IsPassword {
+     }
+ 
+    if ( $self->PrincipalObj->Disabled ) {
++        # Run the bcrypt generator to avoid timing side-channel attacks
++        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
+         $RT::Logger->info(
+             "Disabled user " . $self->Name . " tried to log in" );
+         return (undef);
+     }
+ 
+     unless ($self->HasPassword) {
+-        return(undef);
+-     }
+-
++        # Run the bcrypt generator to avoid timing side-channel attacks
++        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
++        return undef;
++    }
+     my $stored = $self->__Value('Password');
+     if ($stored =~ /^!/) {
+         # If it's a new-style (>= RT 4.0) password, it starts with a '!'

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.11

Hi,

The updates relating to these bugs were included in this morning's
10.11 point release for buster.

Regards,

Adam

--- End Message ---
Reply to: