Bug#873309: stretch-pu: package request-tracker4/4.4.1-3+deb9u3

2017-09-08 Thread Adam D. Barratt 
Control: tags -1 + pending

On Tue, 2017-08-29 at 22:32 +0100, Dominic Hargreaves wrote:
> On Sun, Aug 27, 2017 at 02:41:22PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sat, 2017-08-26 at 12:40 +0100, Dominic Hargreaves wrote:
> > > A regression was discovered in the latest security patch update
> > > for
> > > RT which can cause incorrect UTF-8 encoded passwords to cause an
> > > application error. This is not in itself considered a security
> > > problem.
> > > 
> > > The attached debdiff applies a patch which has been included in
> > > the
> > > official upstream releases including the security fixes.
> > 
> > With the changelog finalised with a distribution of "stretch",
> > please go
> > ahead.
> 
> Thanks, now uploaded. I took a chance and hoped that source-only
> uploads were accepted for stretch-proposed-updates - we'll see...

They are. :-)

Flagged for acceptance.

Regards,

Adam

Bug#873309: stretch-pu: package request-tracker4/4.4.1-3+deb9u3

2017-08-29 Thread Dominic Hargreaves 
On Sun, Aug 27, 2017 at 02:41:22PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2017-08-26 at 12:40 +0100, Dominic Hargreaves wrote:
> > A regression was discovered in the latest security patch update for
> > RT which can cause incorrect UTF-8 encoded passwords to cause an
> > application error. This is not in itself considered a security
> > problem.
> > 
> > The attached debdiff applies a patch which has been included in the
> > official upstream releases including the security fixes.
> 
> With the changelog finalised with a distribution of "stretch", please go
> ahead.

Thanks, now uploaded. I took a chance and hoped that source-only
uploads were accepted for stretch-proposed-updates - we'll see...

Bug#873309: stretch-pu: package request-tracker4/4.4.1-3+deb9u3

2017-08-27 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2017-08-26 at 12:40 +0100, Dominic Hargreaves wrote:
> A regression was discovered in the latest security patch update for
> RT which can cause incorrect UTF-8 encoded passwords to cause an
> application error. This is not in itself considered a security
> problem.
> 
> The attached debdiff applies a patch which has been included in the
> official upstream releases including the security fixes.

With the changelog finalised with a distribution of "stretch", please go
ahead.

Regards,

Adam

Bug#873309: stretch-pu: package request-tracker4/4.4.1-3+deb9u3

2017-08-26 Thread Dominic Hargreaves 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

A regression was discovered in the latest security patch update for
RT which can cause incorrect UTF-8 encoded passwords to cause an
application error. This is not in itself considered a security
problem.

The attached debdiff applies a patch which has been included in the
official upstream releases including the security fixes.

Thanks for considering!

Dominic.
diff -Nru request-tracker4-4.4.1/debian/changelog request-tracker4-4.4.1/debian/changelog
--- request-tracker4-4.4.1/debian/changelog	2017-07-06 15:10:40.0 +0100
+++ request-tracker4-4.4.1/debian/changelog	2017-08-25 23:53:15.0 +0100
@@ -1,3 +1,10 @@
+request-tracker4 (4.4.1-3+deb9u3) UNRELEASED; urgency=medium
+
+  * Fix regression in previous security release where incorrect
+SHA256 passwords could trigger an error
+
+ -- Dominic Hargreaves   Fri, 25 Aug 2017 23:50:45 +0100
+
 request-tracker4 (4.4.1-3+deb9u2) stretch; urgency=medium
 
   * Handle configuration permissions correctly following
diff -Nru request-tracker4-4.4.1/debian/.git-dpm request-tracker4-4.4.1/debian/.git-dpm
--- request-tracker4-4.4.1/debian/.git-dpm	2017-07-06 11:12:02.0 +0100
+++ request-tracker4-4.4.1/debian/.git-dpm	2017-08-25 23:50:44.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e272152dd37ff075d41052fbe599fb23040bb426
-e272152dd37ff075d41052fbe599fb23040bb426
+6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb
+6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb
 63ca1094b0eb53bf86eef426b17dc0080a1a1f8e
 63ca1094b0eb53bf86eef426b17dc0080a1a1f8e
 request-tracker4_4.4.1.orig.tar.gz
diff -Nru request-tracker4-4.4.1/debian/patches/is_password_binary.patch request-tracker4-4.4.1/debian/patches/is_password_binary.patch
--- request-tracker4-4.4.1/debian/patches/is_password_binary.patch	1970-01-01 01:00:00.0 +0100
+++ request-tracker4-4.4.1/debian/patches/is_password_binary.patch	2017-08-25 23:50:44.0 +0100
@@ -0,0 +1,78 @@
+From 6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb Mon Sep 17 00:00:00 2001
+From: Shawn M Moore 
+Date: Mon, 10 Jul 2017 11:48:28 -0400
+Subject: Add a "binary" option to opt out of UTF8 encoding
+
+The SHA256 branch of IsPassword generates binary values to compare,
+which may lead to comparing two strings with a different number of
+Unicode characters, even when both strings have 26 octets (since UTF8 is
+a variable-length encoding). This triggers an error in constant_time_eq
+which demands both strings are the same length.
+
+When comparing binary values pass this flag to avoid treating the
+inputs as UTF8.
+
+Patch-Name: is_password_binary.patch
+---
+ lib/RT/User.pm |  2 +-
+ lib/RT/Util.pm | 20 
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index 0e86d44..3ced5ce 100644
+--- a/lib/RT/User.pm
 b/lib/RT/User.pm
+@@ -1110,7 +1110,7 @@ sub IsPassword {
+ my $salt = substr($hash, 0, 4, "");
+ return 0 unless RT::Util::constant_time_eq(
+ substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
+-$hash
++$hash, 1
+ );
+ } elsif (length $stored == 32) {
+ # Hex nonsalted-md5
+diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
+index 47b1dd2..1a040b9 100644
+--- a/lib/RT/Util.pm
 b/lib/RT/Util.pm
+@@ -166,6 +166,9 @@ The two string arguments B be of equal length. If the lengths differ,
+ this function will call C, as proceeding with execution would create
+ a timing vulnerability. Length is defined by characters, not bytes.
+ 
++Strings that should be treated as binary octets rather than Unicode text
++should pass a true value for the binary flag.
++
+ This code has been tested to do what it claims. Do not change it without
+ thorough statistical timing analysis to validate the changes.
+ 
+@@ -177,7 +180,7 @@ B
+ =cut
+ 
+ sub constant_time_eq {
+-my ($a, $b) = @_;
++my ($a, $b, $binary) = @_;
+ 
+ my $result = 0;
+ 
+@@ -191,9 +194,18 @@ sub constant_time_eq {
+ my $a_char = substr($a, $i, 1);
+ my $b_char = substr($b, $i, 1);
+ 
+-# encode() is set to die on malformed
+-my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+-my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++my (@a_octets, @b_octets);
++
++if ($binary) {
++@a_octets = ord($a_char);
++@b_octets = ord($b_char);
++}
++else {
++# encode() is set to die on malformed
++@a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
++@b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++}
++
+ die $generic_error if (scalar @a_octets) !=