[DRE-maint] Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Satoru KURASHIKI
lurdan at gmail.com
Mon Feb 11 04:24:52 UTC 2013
hi,
(CC: pkg-ruby-extras-maintainers)
I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
librack-ruby),
and acknowledged about preparing NMU for this bug.
Please audit this patch, after that I will prepare NMU for squeeze.
(and after that t-p-u, unstable, ...)
On Sun, Feb 10, 2013 at 4:49 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
>> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
>> the code which raises CVE-2013-0263 (needs time string comparison)
>> also affects stable version:
>> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
This issue was already fixed in upstream HEAD, so I backport that commit with
file adjustment for old code base.
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
prepared patch as follows:
--- a/lib/rack/session/cookie.rb 2013-02-11 01:54:07.291302061 +0000
+++ b/lib/rack/session/cookie.rb 2013-02-11 01:55:10.135303555 +0000
@@ -46,7 +46,7 @@
if @secret && session_data
session_data, digest = session_data.split("--")
- session_data = nil unless digest == generate_hmac(session_data)
+ session_data = nil unless
Rack::Utils.secure_compare(digest, generate_hmac(session_data))
end
begin
--- a/lib/rack/utils.rb 2013-02-11 01:55:45.791304402 +0000
+++ b/lib/rack/utils.rb 2013-02-11 01:56:43.395305772 +0000
@@ -234,6 +234,18 @@
end
module_function :bytesize
+ # Constant time string comparison.
+ def secure_compare(a, b)
+ return false unless bytesize(a) == bytesize(b)
+
+ l = a.unpack("C*")
+
+ r, i = 0, -1
+ b.each_byte { |v| r |= v ^ l[i+=1] }
+ r == 0
+ end
+ module_function :secure_compare
+
# Context allows the use of a compatible middleware at different points
# in a request handling stack. A compatible middleware must define
# #context which should take the arguments env and app. The first of which
--- a/test/spec_rack_utils.rb 2013-02-11 01:57:17.383306580 +0000
+++ b/test/spec_rack_utils.rb 2013-02-11 01:58:12.775307896 +0000
@@ -205,6 +205,11 @@
Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
end
+ specify "should perform constant time string comparison" do
+ Rack::Utils.secure_compare('a', 'a').should.equal true
+ Rack::Utils.secure_compare('a', 'b').should.equal false
+ end
+
specify "should return status code for integer" do
Rack::Utils.status_code(200).should.equal 200
end
regards,
--
KURASHIKI Satoru
More information about the Pkg-ruby-extras-maintainers
mailing list