hi, (CC: pkg-ruby-extras-maintainers) I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of librack-ruby), and acknowledged about preparing NMU for this bug.
Please audit this patch, after that I will prepare NMU for squeeze. (and after that t-p-u, unstable, ...) On Sun, Feb 10, 2013 at 4:49 PM, Salvatore Bonaccorso <car...@debian.org> wrote: >> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263 >> the code which raises CVE-2013-0263 (needs time string comparison) >> also affects stable version: >> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49 This issue was already fixed in upstream HEAD, so I backport that commit with file adjustment for old code base. https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 prepared patch as follows: --- a/lib/rack/session/cookie.rb 2013-02-11 01:54:07.291302061 +0000 +++ b/lib/rack/session/cookie.rb 2013-02-11 01:55:10.135303555 +0000 @@ -46,7 +46,7 @@ if @secret && session_data session_data, digest = session_data.split("--") - session_data = nil unless digest == generate_hmac(session_data) + session_data = nil unless Rack::Utils.secure_compare(digest, generate_hmac(session_data)) end begin --- a/lib/rack/utils.rb 2013-02-11 01:55:45.791304402 +0000 +++ b/lib/rack/utils.rb 2013-02-11 01:56:43.395305772 +0000 @@ -234,6 +234,18 @@ end module_function :bytesize + # Constant time string comparison. + def secure_compare(a, b) + return false unless bytesize(a) == bytesize(b) + + l = a.unpack("C*") + + r, i = 0, -1 + b.each_byte { |v| r |= v ^ l[i+=1] } + r == 0 + end + module_function :secure_compare + # Context allows the use of a compatible middleware at different points # in a request handling stack. A compatible middleware must define # #context which should take the arguments env and app. The first of which --- a/test/spec_rack_utils.rb 2013-02-11 01:57:17.383306580 +0000 +++ b/test/spec_rack_utils.rb 2013-02-11 01:58:12.775307896 +0000 @@ -205,6 +205,11 @@ Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6 end + specify "should perform constant time string comparison" do + Rack::Utils.secure_compare('a', 'a').should.equal true + Rack::Utils.secure_compare('a', 'b').should.equal false + end + specify "should return status code for integer" do Rack::Utils.status_code(200).should.equal 200 end regards, -- KURASHIKI Satoru -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
