Bug#873309: stretch-pu: package request-tracker4/4.4.1-3+deb9u3

Sat, 26 Aug 2017 05:15:25 -0700 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

A regression was discovered in the latest security patch update for
RT which can cause incorrect UTF-8 encoded passwords to cause an
application error. This is not in itself considered a security
problem.

The attached debdiff applies a patch which has been included in the
official upstream releases including the security fixes.

Thanks for considering!

Dominic.

diff -Nru request-tracker4-4.4.1/debian/changelog request-tracker4-4.4.1/debian/changelog
--- request-tracker4-4.4.1/debian/changelog	2017-07-06 15:10:40.000000000 +0100
+++ request-tracker4-4.4.1/debian/changelog	2017-08-25 23:53:15.000000000 +0100
@@ -1,3 +1,10 @@
+request-tracker4 (4.4.1-3+deb9u3) UNRELEASED; urgency=medium
+
+  * Fix regression in previous security release where incorrect
+    SHA256 passwords could trigger an error
+
+ -- Dominic Hargreaves <d...@earth.li>  Fri, 25 Aug 2017 23:50:45 +0100
+
 request-tracker4 (4.4.1-3+deb9u2) stretch; urgency=medium
 
   * Handle configuration permissions correctly following
diff -Nru request-tracker4-4.4.1/debian/.git-dpm request-tracker4-4.4.1/debian/.git-dpm
--- request-tracker4-4.4.1/debian/.git-dpm	2017-07-06 11:12:02.000000000 +0100
+++ request-tracker4-4.4.1/debian/.git-dpm	2017-08-25 23:50:44.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e272152dd37ff075d41052fbe599fb23040bb426
-e272152dd37ff075d41052fbe599fb23040bb426
+6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb
+6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb
 63ca1094b0eb53bf86eef426b17dc0080a1a1f8e
 63ca1094b0eb53bf86eef426b17dc0080a1a1f8e
 request-tracker4_4.4.1.orig.tar.gz
diff -Nru request-tracker4-4.4.1/debian/patches/is_password_binary.patch request-tracker4-4.4.1/debian/patches/is_password_binary.patch
--- request-tracker4-4.4.1/debian/patches/is_password_binary.patch	1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.4.1/debian/patches/is_password_binary.patch	2017-08-25 23:50:44.000000000 +0100
@@ -0,0 +1,78 @@
+From 6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb Mon Sep 17 00:00:00 2001
+From: Shawn M Moore <sh...@bestpractical.com>
+Date: Mon, 10 Jul 2017 11:48:28 -0400
+Subject: Add a "binary" option to opt out of UTF8 encoding
+
+The SHA256 branch of IsPassword generates binary values to compare,
+which may lead to comparing two strings with a different number of
+Unicode characters, even when both strings have 26 octets (since UTF8 is
+a variable-length encoding). This triggers an error in constant_time_eq
+which demands both strings are the same length.
+
+When comparing binary values pass this flag to avoid treating the
+inputs as UTF8.
+
+Patch-Name: is_password_binary.patch
+---
+ lib/RT/User.pm |  2 +-
+ lib/RT/Util.pm | 20 ++++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index 0e86d44..3ced5ce 100644
+--- a/lib/RT/User.pm
++++ b/lib/RT/User.pm
+@@ -1110,7 +1110,7 @@ sub IsPassword {
+         my $salt = substr($hash, 0, 4, "");
+         return 0 unless RT::Util::constant_time_eq(
+             substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
+-            $hash
++            $hash, 1
+         );
+     } elsif (length $stored == 32) {
+         # Hex nonsalted-md5
+diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
+index 47b1dd2..1a040b9 100644
+--- a/lib/RT/Util.pm
++++ b/lib/RT/Util.pm
+@@ -166,6 +166,9 @@ The two string arguments B<MUST> be of equal length. If the lengths differ,
+ this function will call C<die()>, as proceeding with execution would create
+ a timing vulnerability. Length is defined by characters, not bytes.
+ 
++Strings that should be treated as binary octets rather than Unicode text
++should pass a true value for the binary flag.
++
+ This code has been tested to do what it claims. Do not change it without
+ thorough statistical timing analysis to validate the changes.
+ 
+@@ -177,7 +180,7 @@ B<https://en.wikipedia.org/wiki/Timing_attack>
+ =cut
+ 
+ sub constant_time_eq {
+-    my ($a, $b) = @_;
++    my ($a, $b, $binary) = @_;
+ 
+     my $result = 0;
+ 
+@@ -191,9 +194,18 @@ sub constant_time_eq {
+         my $a_char = substr($a, $i, 1);
+         my $b_char = substr($b, $i, 1);
+ 
+-        # encode() is set to die on malformed
+-        my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+-        my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++        my (@a_octets, @b_octets);
++
++        if ($binary) {
++            @a_octets = ord($a_char);
++            @b_octets = ord($b_char);
++        }
++        else {
++            # encode() is set to die on malformed
++            @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
++            @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++        }
++
+         die $generic_error if (scalar @a_octets) != (scalar @b_octets);
+ 
+         for (my $j = 0; $j < scalar @a_octets; $j++) {
diff -Nru request-tracker4-4.4.1/debian/patches/series request-tracker4-4.4.1/debian/patches/series
--- request-tracker4-4.4.1/debian/patches/series	2017-07-06 11:12:02.000000000 +0100
+++ request-tracker4-4.4.1/debian/patches/series	2017-08-25 23:50:44.000000000 +0100
@@ -23,3 +23,4 @@
 local_site_config_includes.diff
 patchset-2017-06-01.patch
 patchset-2017-06-01-test-failures.patch
+is_password_binary.patch

Reply via email to