Bug#873310: jessie-pu: package request-tracker4/4.2.8-3+deb8u3

Sat, 26 Aug 2017 05:15:44 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

A regression was discovered in the latest security patch update for
RT which can cause incorrect UTF-8 encoded passwords to cause an
application error. This is not in itself considered a security
problem.

The attached debdiff applies a patch which has been included in the
official upstream releases including the security fixes.

Thanks for considering!

Dominic.

diff -Nru request-tracker4-4.2.8/debian/changelog request-tracker4-4.2.8/debian/changelog
--- request-tracker4-4.2.8/debian/changelog	2017-06-10 23:25:15.000000000 +0100
+++ request-tracker4-4.2.8/debian/changelog	2017-08-26 00:05:00.000000000 +0100
@@ -1,3 +1,10 @@
+request-tracker4 (4.2.8-3+deb8u3) UNRELEASED; urgency=medium
+
+  * Fix regression in previous security release where incorrect
+    SHA256 passwords could trigger an error
+
+ -- Dominic Hargreaves <d...@earth.li>  Sat, 26 Aug 2017 00:04:25 +0100
+
 request-tracker4 (4.2.8-3+deb8u2) jessie-security; urgency=high
 
   * Fix FTBFS due to base.pm changes (Closes: #864302)
diff -Nru request-tracker4-4.2.8/debian/.git-dpm request-tracker4-4.2.8/debian/.git-dpm
--- request-tracker4-4.2.8/debian/.git-dpm	2017-06-10 23:24:20.000000000 +0100
+++ request-tracker4-4.2.8/debian/.git-dpm	2017-08-26 00:04:21.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-0585d038ba908af5d49c48ddeb1394b2f3579331
-0585d038ba908af5d49c48ddeb1394b2f3579331
+dc3c256430c25518b42020ae1f85924aeb6930c4
+dc3c256430c25518b42020ae1f85924aeb6930c4
 21890d09947710ac3f48ddd306fe5b6a50f5bbe9
 21890d09947710ac3f48ddd306fe5b6a50f5bbe9
 request-tracker4_4.2.8.orig.tar.gz
diff -Nru request-tracker4-4.2.8/debian/patches/is_password_binary.patch request-tracker4-4.2.8/debian/patches/is_password_binary.patch
--- request-tracker4-4.2.8/debian/patches/is_password_binary.patch	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/is_password_binary.patch	2017-08-26 00:04:21.000000000 +0100
@@ -0,0 +1,78 @@
+From dc3c256430c25518b42020ae1f85924aeb6930c4 Mon Sep 17 00:00:00 2001
+From: Shawn M Moore <sh...@bestpractical.com>
+Date: Mon, 10 Jul 2017 11:48:28 -0400
+Subject: Add a "binary" option to opt out of UTF8 encoding
+
+The SHA256 branch of IsPassword generates binary values to compare,
+which may lead to comparing two strings with a different number of
+Unicode characters, even when both strings have 26 octets (since UTF8 is
+a variable-length encoding). This triggers an error in constant_time_eq
+which demands both strings are the same length.
+
+When comparing binary values pass this flag to avoid treating the
+inputs as UTF8.
+
+Patch-Name: is_password_binary.patch
+---
+ lib/RT/User.pm |  2 +-
+ lib/RT/Util.pm | 20 ++++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index dba5b6f..e8c0be5 100644
+--- a/lib/RT/User.pm
++++ b/lib/RT/User.pm
+@@ -1006,7 +1006,7 @@ sub IsPassword {
+         my $salt = substr($hash, 0, 4, "");
+         return 0 unless RT::Util::constant_time_eq(
+             substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
+-            $hash
++            $hash, 1
+         );
+     } elsif (length $stored == 32) {
+         # Hex nonsalted-md5
+diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
+index 014f232..86e96ad 100644
+--- a/lib/RT/Util.pm
++++ b/lib/RT/Util.pm
+@@ -166,6 +166,9 @@ The two string arguments B<MUST> be of equal length. If the lengths differ,
+ this function will call C<die()>, as proceeding with execution would create
+ a timing vulnerability. Length is defined by characters, not bytes.
+ 
++Strings that should be treated as binary octets rather than Unicode text
++should pass a true value for the binary flag.
++
+ This code has been tested to do what it claims. Do not change it without
+ thorough statistical timing analysis to validate the changes.
+ 
+@@ -177,7 +180,7 @@ B<https://en.wikipedia.org/wiki/Timing_attack>
+ =cut
+ 
+ sub constant_time_eq {
+-    my ($a, $b) = @_;
++    my ($a, $b, $binary) = @_;
+ 
+     my $result = 0;
+ 
+@@ -191,9 +194,18 @@ sub constant_time_eq {
+         my $a_char = substr($a, $i, 1);
+         my $b_char = substr($b, $i, 1);
+ 
+-        # encode() is set to die on malformed
+-        my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+-        my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++        my (@a_octets, @b_octets);
++
++        if ($binary) {
++            @a_octets = ord($a_char);
++            @b_octets = ord($b_char);
++        }
++        else {
++            # encode() is set to die on malformed
++            @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
++            @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++        }
++
+         die $generic_error if (scalar @a_octets) != (scalar @b_octets);
+ 
+         for (my $j = 0; $j < scalar @a_octets; $j++) {
diff -Nru request-tracker4-4.2.8/debian/patches/series request-tracker4-4.2.8/debian/patches/series
--- request-tracker4-4.2.8/debian/patches/series	2017-06-10 23:24:20.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/series	2017-08-26 00:04:21.000000000 +0100
@@ -18,3 +18,4 @@
 base-pm-ftbfs.patch
 patchset-2017-06-01.patch
 patchset-2017-06-01-test-failures.patch
+is_password_binary.patch

Reply via email to