[apache-directory-api] 04/04: Remove 02-CVE-2015-3250.patch (fixed in M31)
Christopher Stuart Hoskin
mans0954 at moszumanska.debian.org
Wed Jan 3 23:54:08 UTC 2018
This is an automated email from the git hooks/post-receive script.
mans0954 pushed a commit to branch master
in repository apache-directory-api.
commit 7fab3ce9b1d99b82ad7c4ef8f7970fd3e108f251
Author: Christopher Hoskin <mans0954 at debian.org>
Date: Wed Jan 3 23:49:30 2018 +0000
Remove 02-CVE-2015-3250.patch (fixed in M31)
---
debian/changelog | 1 +
debian/patches/02-CVE-2015-3250.patch | 68 -----------------------------------
debian/patches/series | 1 -
3 files changed, 1 insertion(+), 69 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4022169..d5c79e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ apache-directory-api (1.0.0-1) UNRELEASED; urgency=medium
* Watch official signed upstream release tarballs
* New upstream release (1.0.0)
* Use https in debian/watch
+ * Remove 02-CVE-2015-3250.patch (fixed in M31)
-- Christopher Hoskin <mans0954 at debian.org> Wed, 03 Jan 2018 23:33:47 +0000
diff --git a/debian/patches/02-CVE-2015-3250.patch b/debian/patches/02-CVE-2015-3250.patch
deleted file mode 100644
index 08b87af..0000000
--- a/debian/patches/02-CVE-2015-3250.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-Description: Fixes CVE-2015-3250: Timing Attack vulnerability
- This patch can be removed after upgrading to the version 1.0.0-M31 or later
-Origin: backport, https://svn.apache.org/r1688300
---- a/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java
-+++ b/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java
-@@ -25,7 +25,6 @@
- import java.security.MessageDigest;
- import java.security.NoSuchAlgorithmException;
- import java.security.SecureRandom;
--import java.util.Arrays;
- import java.util.Date;
-
- import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants;
-@@ -254,14 +253,51 @@
- byte[] userPassword = PasswordUtil.encryptPassword( receivedCredentials, encryptionMethod.getAlgorithm(),
- encryptionMethod.getSalt() );
-
-- // Now, compare the two passwords.
-- return Arrays.equals( userPassword, encryptedStored );
-+ return compareBytes( userPassword, encryptedStored );
- }
- else
- {
-- return Arrays.equals( storedCredentials, receivedCredentials );
-+ return compareBytes( receivedCredentials, storedCredentials );
- }
- }
-+
-+
-+ /**
-+ * Compare two byte[] in a constant time. This is necessary because using an Array.equals() is
-+ * not Timing attack safe ([1], [2] and [3]), a breach that can be exploited to break some hashes.
-+ *
-+ * [1] https://en.wikipedia.org/wiki/Timing_attack
-+ * [2] http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/
-+ * [3] https://cryptocoding.net/index.php/Coding_rules
-+ */
-+ private static boolean compareBytes( byte[] provided, byte[] stored )
-+ {
-+ if ( stored == null )
-+ {
-+ return provided == null;
-+ }
-+ else if ( provided == null )
-+ {
-+ return false;
-+ }
-+
-+ // Now, compare the two passwords, using a constant time method
-+ if ( stored.length != provided.length )
-+ {
-+ return false;
-+ }
-+
-+ // loop on *every* byte in both passwords, and at the end, if one char at least is different, return false.
-+ int result = 0;
-+
-+ for ( int i = 0; i < stored.length; i++ )
-+ {
-+ // If both bytes are equal, xor will be == 0, otherwise it will be != 0 and so will result.
-+ result |= ( stored[i] ^ provided[i] );
-+ }
-+
-+ return result == 0;
-+ }
-
-
- /**
diff --git a/debian/patches/series b/debian/patches/series
index 18a851d..da693f0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
01-jar-packaging.patch
-02-CVE-2015-3250.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/apache-directory-api.git
More information about the pkg-java-commits
mailing list