[jira] [Commented] (PDFBOX-5798) Observable Timing Discrepancy (Timing Attack)

ASF subversion and git services (Jira) Wed, 03 Apr 2024 07:27:34 -0700


    [ 
https://issues.apache.org/jira/browse/PDFBOX-5798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17833598#comment-17833598
 ]


ASF subversion and git services commented on PDFBOX-5798:
---------------------------------------------------------

Commit 1916787 from Tilman Hausherr in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1916787 ]

PDFBOX-5798: use MessageDigest.isEqual() to prevent timing attacks

> Observable Timing Discrepancy (Timing Attack)
> ---------------------------------------------
>
>                 Key: PDFBOX-5798
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5798
>             Project: PDFBox
>          Issue Type: Bug
>            Reporter: Simon Steiner
>            Priority: Major
>
> A static analyse tool is reporting:
> An attacker can guess the secret value of digest because it is compared using 
> java.util.Arrays.equals, which is vulnerable to timing attacks. Use 
> java.security.MessageDigest.isEqual to compare values securely.
> ‎pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

[jira] [Commented] (PDFBOX-5798) Observable Timing Discrepancy (Timing Attack)

Reply via email to