Control: tags 892250 + pending Dear maintainer,
I've prepared an NMU for ruby-rack-protection (versioned as 1.5.3-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. The update is just a reupload for sid/buster on what Moritz prepared as DSA. Regards, Salvatore
diff -Nru ruby-rack-protection-1.5.3/debian/changelog ruby-rack-protection-1.5.3/debian/changelog --- ruby-rack-protection-1.5.3/debian/changelog 2015-09-02 15:38:02.000000000 +0200 +++ ruby-rack-protection-1.5.3/debian/changelog 2018-07-20 05:52:12.000000000 +0200 @@ -1,3 +1,12 @@ +ruby-rack-protection (1.5.3-2.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Moritz Muehlenhoff ] + * CVE-2018-1000119 (Closes: #892250) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 20 Jul 2018 05:52:12 +0200 + ruby-rack-protection (1.5.3-2) unstable; urgency=medium * Team upload. diff -Nru ruby-rack-protection-1.5.3/debian/patches/CVE-2018-1000119.patch ruby-rack-protection-1.5.3/debian/patches/CVE-2018-1000119.patch --- ruby-rack-protection-1.5.3/debian/patches/CVE-2018-1000119.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-rack-protection-1.5.3/debian/patches/CVE-2018-1000119.patch 2018-07-15 20:46:41.000000000 +0200 @@ -0,0 +1,49 @@ +From 8aa6c42ef724f93ae309fb7c5668e19ad547eceb Mon Sep 17 00:00:00 2001 +From: Andreas Karlsson <andr...@proxel.se> +Date: Mon, 25 May 2015 19:37:29 +0200 +Subject: [PATCH] Use secure_compare when checking CSRF token + +Since string comparisions may return early we want to use a constant +time comparsion function to protect the CSRF token against timing +attacks. Rack::Utils provides a such function. +--- + rack-protection/lib/rack/protection/authenticity_token.rb | 4 ++-- + rack-protection/lib/rack/protection/base.rb | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/protection/authenticity_token.rb b/lib/rack/protection/authenticity_token.rb +index e4524e4a6..ad2ab9cde 100644 +--- a/lib/rack/protection/authenticity_token.rb ++++ b/rib/rack/protection/authenticity_token.rb +@@ -23,8 +23,8 @@ def accepts?(env) + session = session env + token = session[:csrf] ||= session['_csrf_token'] || random_string + safe?(env) || +- env['HTTP_X_CSRF_TOKEN'] == token || +- Request.new(env).params[options[:authenticity_param]] == token ++ secure_compare(env['HTTP_X_CSRF_TOKEN'], token) || ++ secure_compare(Request.new(env).params[options[:authenticity_param]], token) + end + end + end +diff --git a/lib/rack/protection/base.rb b/lib/rack/protection/base.rb +index fe6ab37d2..c914da23c 100644 +--- a/lib/rack/protection/base.rb ++++ b/lib/rack/protection/base.rb +@@ -1,4 +1,5 @@ + require 'rack/protection' ++require 'rack/utils' + require 'digest' + require 'logger' + require 'uri' +@@ -110,6 +111,10 @@ def encrypt(value) + options[:encryptor].hexdigest value.to_s + end + ++ def secure_compare(a, b) ++ Rack::Utils.secure_compare(a.to_s, b.to_s) ++ end ++ + alias default_reaction deny + + def html?(headers) diff -Nru ruby-rack-protection-1.5.3/debian/patches/series ruby-rack-protection-1.5.3/debian/patches/series --- ruby-rack-protection-1.5.3/debian/patches/series 2015-09-02 15:38:02.000000000 +0200 +++ ruby-rack-protection-1.5.3/debian/patches/series 2018-07-15 20:46:41.000000000 +0200 @@ -1 +1,2 @@ rpsec3-port.patch +CVE-2018-1000119.patch