[apache-directory-api] 01/01: Fixed CVE-2015-3050: Timing Attack vulnerability (Closes: #791957)

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Thu Jul 9 21:13:01 UTC 2015


This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository apache-directory-api.

commit 6e422071dc1e74e476b4788423d36fbc974cb903
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Thu Jul 9 23:08:16 2015 +0200

    Fixed CVE-2015-3050: Timing Attack vulnerability (Closes: #791957)
---
 debian/changelog                      |  6 ++++
 debian/patches/02-CVE-2015-3250.patch | 68 +++++++++++++++++++++++++++++++++++
 debian/patches/series                 |  1 +
 3 files changed, 75 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a7cb405..a3077b3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apache-directory-api (1.0.0~M20-3) unstable; urgency=medium
+
+  * Fixed CVE-2015-3050: Timing Attack vulnerability (Closes: #791957)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Thu, 09 Jul 2015 23:07:02 +0200
+
 apache-directory-api (1.0.0~M20-2) unstable; urgency=medium
 
   * Ignore the parent pom for the api-all artifact
diff --git a/debian/patches/02-CVE-2015-3250.patch b/debian/patches/02-CVE-2015-3250.patch
new file mode 100644
index 0000000..5f77e30
--- /dev/null
+++ b/debian/patches/02-CVE-2015-3250.patch
@@ -0,0 +1,68 @@
+Description: Fixes CVE-2015-3050: Timing Attack vulnerability
+ This patch can be removed after upgrading to the version 1.0.0-M31 or later
+Origin: backport, https://svn.apache.org/r1688300
+--- a/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java
++++ b/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java
+@@ -25,7 +25,6 @@
+ import java.security.MessageDigest;
+ import java.security.NoSuchAlgorithmException;
+ import java.security.SecureRandom;
+-import java.util.Arrays;
+ import java.util.Date;
+ 
+ import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
+@@ -254,14 +253,51 @@
+             byte[] userPassword = PasswordUtil.encryptPassword( receivedCredentials, encryptionMethod.getAlgorithm(),
+                 encryptionMethod.getSalt() );
+ 
+-            // Now, compare the two passwords.
+-            return Arrays.equals( userPassword, encryptedStored );
++            return compareBytes( userPassword, encryptedStored );
+         }
+         else
+         {
+-            return Arrays.equals( storedCredentials, receivedCredentials );
++            return compareBytes( receivedCredentials, storedCredentials );
+         }
+     }
++
++
++    /**
++     * Compare two byte[] in a constant time. This is necessary because using an Array.equals() is
++     * not Timing attack safe ([1], [2] and [3]), a breach that can be exploited to break some hashes.
++     *
++     *  [1] https://en.wikipedia.org/wiki/Timing_attack
++     *  [2] http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/
++     *  [3] https://cryptocoding.net/index.php/Coding_rules
++     */
++    private static boolean compareBytes( byte[] provided, byte[] stored )
++    {
++        if ( stored == null )
++        {
++            return provided == null;
++        }
++        else if ( provided == null )
++        {
++            return false;
++        }
++
++        // Now, compare the two passwords, using a constant time method
++        if ( stored.length != provided.length )
++        {
++            return false;
++        }
++
++        // loop on *every* byte in both passwords, and at the end, if one char at least is different, return false.
++        int result = 0;
++
++        for ( int i = 0; i < stored.length; i++ )
++        {
++            // If both bytes are equal, xor will be == 0, otherwise it will be != 0 and so will result.
++            result |= ( stored[i] ^ provided[i] );
++        }
++
++        return result == 0;
++    }
+ 
+ 
+     /**
diff --git a/debian/patches/series b/debian/patches/series
index da693f0..18a851d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 01-jar-packaging.patch
+02-CVE-2015-3250.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/apache-directory-api.git



More information about the pkg-java-commits mailing list