[DRE-maint] Bug#1009636: ruby-devise-two-factor: CVE-2021-43177 - possible reuse of OTP due to incomplete fix for CVE-2015-7225

Neil Williams codehelp at debian.org
Wed Apr 13 11:27:35 BST 2022 

On Wed, 13 Apr 2022 11:18:50 +0100 Neil Williams <codehelp at debian.org>
wrote:
> Source: ruby-devise-two-factor
> Version: 4.0.2-1
> Severity: important
> Tags: security
> X-Debbugs-Cc: codehelp at debian.org, Debian Security Team
> <team at security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for ruby-devise-two-factor.
> 
> CVE-2021-43177[0]:
> | As a result of an incomplete fix for CVE-2015-7225, in versions of
> | devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-
> | Password (OTP) for one (and only one) immediately trailing interval.
> | CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-43177
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43177
> 
> Please adjust the affected versions in the BTS as needed.
> 
> See also: https://security-tracker.debian.org/tracker/CVE-2015-7225
> and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466


Please note, I've filed the bug because the pull request linked to the
CVE is currently open:
https://github.com/tinfoil/devise-two-factor/pull/108

However, there is a comment that this has been fixed in 4.0.2 but no
link to the fixing commit.

It is possible that
https://github.com/tinfoil/devise-two-factor/commit/64576bb9e7d29800c5f92bb86fb6ecff91ad6105
is the fixing commit but this is not clear.


-- 
Neil Williams
=============
https://linux.codehelp.co.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-ruby-extras-maintainers/attachments/20220413/fa1a9604/attachment.sig>

More information about the Pkg-ruby-extras-maintainers mailing list