[DRE-maint] Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263

Mon Feb 11 04:24:52 UTC 2013

hi,
(CC: pkg-ruby-extras-maintainers)

I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
librack-ruby),
and acknowledged about preparing NMU for this bug.

Please audit this patch, after that I will prepare NMU for squeeze.
(and after that t-p-u, unstable, ...)

On Sun, Feb 10, 2013 at 4:49 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:

>> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263

>> the code which raises CVE-2013-0263 (needs time string comparison)
>> also affects stable version:
>> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49

This issue was already fixed in upstream HEAD, so I backport that commit with
file adjustment for old code base.

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

prepared patch as follows:

--- a/lib/rack/session/cookie.rb        2013-02-11 01:54:07.291302061 +0000
+++ b/lib/rack/session/cookie.rb        2013-02-11 01:55:10.135303555 +0000
@@ -46,7 +46,7 @@

         if @secret && session_data
           session_data, digest = session_data.split("--")
-          session_data = nil  unless digest == generate_hmac(session_data)
+          session_data = nil  unless
Rack::Utils.secure_compare(digest, generate_hmac(session_data))
         end

         begin
--- a/lib/rack/utils.rb 2013-02-11 01:55:45.791304402 +0000
+++ b/lib/rack/utils.rb 2013-02-11 01:56:43.395305772 +0000
@@ -234,6 +234,18 @@
     end
     module_function :bytesize

+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which
--- a/test/spec_rack_utils.rb   2013-02-11 01:57:17.383306580 +0000
+++ b/test/spec_rack_utils.rb   2013-02-11 01:58:12.775307896 +0000
@@ -205,6 +205,11 @@
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end

+  specify "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   specify "should return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

regards,
-- 
KURASHIKI Satoru

