[apache-directory-api] 04/04: Remove 02-CVE-2015-3250.patch (fixed in M31)

Christopher Stuart Hoskin mans0954 at moszumanska.debian.org
Wed Jan 3 23:54:08 UTC 2018


This is an automated email from the git hooks/post-receive script.

mans0954 pushed a commit to branch master
in repository apache-directory-api.

commit 7fab3ce9b1d99b82ad7c4ef8f7970fd3e108f251
Author: Christopher Hoskin <mans0954 at debian.org>
Date:   Wed Jan 3 23:49:30 2018 +0000

    Remove 02-CVE-2015-3250.patch (fixed in M31)
---
 debian/changelog                      |  1 +
 debian/patches/02-CVE-2015-3250.patch | 68 -----------------------------------
 debian/patches/series                 |  1 -
 3 files changed, 1 insertion(+), 69 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 4022169..d5c79e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ apache-directory-api (1.0.0-1) UNRELEASED; urgency=medium
   * Watch official signed upstream release tarballs 
   * New upstream release (1.0.0)
   * Use https in debian/watch
+  * Remove 02-CVE-2015-3250.patch (fixed in M31)
 
  -- Christopher Hoskin <mans0954 at debian.org>  Wed, 03 Jan 2018 23:33:47 +0000
 
diff --git a/debian/patches/02-CVE-2015-3250.patch b/debian/patches/02-CVE-2015-3250.patch
deleted file mode 100644
index 08b87af..0000000
--- a/debian/patches/02-CVE-2015-3250.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-Description: Fixes CVE-2015-3250: Timing Attack vulnerability
- This patch can be removed after upgrading to the version 1.0.0-M31 or later
-Origin: backport, https://svn.apache.org/r1688300
---- a/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java
-+++ b/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java
-@@ -25,7 +25,6 @@
- import java.security.MessageDigest;
- import java.security.NoSuchAlgorithmException;
- import java.security.SecureRandom;
--import java.util.Arrays;
- import java.util.Date;
- 
- import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
-@@ -254,14 +253,51 @@
-             byte[] userPassword = PasswordUtil.encryptPassword( receivedCredentials, encryptionMethod.getAlgorithm(),
-                 encryptionMethod.getSalt() );
- 
--            // Now, compare the two passwords.
--            return Arrays.equals( userPassword, encryptedStored );
-+            return compareBytes( userPassword, encryptedStored );
-         }
-         else
-         {
--            return Arrays.equals( storedCredentials, receivedCredentials );
-+            return compareBytes( receivedCredentials, storedCredentials );
-         }
-     }
-+
-+
-+    /**
-+     * Compare two byte[] in a constant time. This is necessary because using an Array.equals() is
-+     * not Timing attack safe ([1], [2] and [3]), a breach that can be exploited to break some hashes.
-+     *
-+     *  [1] https://en.wikipedia.org/wiki/Timing_attack
-+     *  [2] http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/
-+     *  [3] https://cryptocoding.net/index.php/Coding_rules
-+     */
-+    private static boolean compareBytes( byte[] provided, byte[] stored )
-+    {
-+        if ( stored == null )
-+        {
-+            return provided == null;
-+        }
-+        else if ( provided == null )
-+        {
-+            return false;
-+        }
-+
-+        // Now, compare the two passwords, using a constant time method
-+        if ( stored.length != provided.length )
-+        {
-+            return false;
-+        }
-+
-+        // loop on *every* byte in both passwords, and at the end, if one char at least is different, return false.
-+        int result = 0;
-+
-+        for ( int i = 0; i < stored.length; i++ )
-+        {
-+            // If both bytes are equal, xor will be == 0, otherwise it will be != 0 and so will result.
-+            result |= ( stored[i] ^ provided[i] );
-+        }
-+
-+        return result == 0;
-+    }
- 
- 
-     /**
diff --git a/debian/patches/series b/debian/patches/series
index 18a851d..da693f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
 01-jar-packaging.patch
-02-CVE-2015-3250.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/apache-directory-api.git



More information about the pkg-java-commits mailing list