This is an automated email from the git hooks/post-receive script. mans0954 pushed a commit to branch master in repository apache-directory-api.
commit 7fab3ce9b1d99b82ad7c4ef8f7970fd3e108f251 Author: Christopher Hoskin <mans0...@debian.org> Date: Wed Jan 3 23:49:30 2018 +0000 Remove 02-CVE-2015-3250.patch (fixed in M31) --- debian/changelog | 1 + debian/patches/02-CVE-2015-3250.patch | 68 ----------------------------------- debian/patches/series | 1 - 3 files changed, 1 insertion(+), 69 deletions(-) diff --git a/debian/changelog b/debian/changelog index 4022169..d5c79e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ apache-directory-api (1.0.0-1) UNRELEASED; urgency=medium * Watch official signed upstream release tarballs * New upstream release (1.0.0) * Use https in debian/watch + * Remove 02-CVE-2015-3250.patch (fixed in M31) -- Christopher Hoskin <mans0...@debian.org> Wed, 03 Jan 2018 23:33:47 +0000 diff --git a/debian/patches/02-CVE-2015-3250.patch b/debian/patches/02-CVE-2015-3250.patch deleted file mode 100644 index 08b87af..0000000 --- a/debian/patches/02-CVE-2015-3250.patch +++ /dev/null @@ -1,68 +0,0 @@ -Description: Fixes CVE-2015-3250: Timing Attack vulnerability - This patch can be removed after upgrading to the version 1.0.0-M31 or later -Origin: backport, https://svn.apache.org/r1688300 ---- a/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java -+++ b/ldap/model/src/main/java/org/apache/directory/api/ldap/model/password/PasswordUtil.java -@@ -25,7 +25,6 @@ - import java.security.MessageDigest; - import java.security.NoSuchAlgorithmException; - import java.security.SecureRandom; --import java.util.Arrays; - import java.util.Date; - - import org.apache.directory.api.ldap.model.constants.LdapSecurityConstants; -@@ -254,14 +253,51 @@ - byte[] userPassword = PasswordUtil.encryptPassword( receivedCredentials, encryptionMethod.getAlgorithm(), - encryptionMethod.getSalt() ); - -- // Now, compare the two passwords. -- return Arrays.equals( userPassword, encryptedStored ); -+ return compareBytes( userPassword, encryptedStored ); - } - else - { -- return Arrays.equals( storedCredentials, receivedCredentials ); -+ return compareBytes( receivedCredentials, storedCredentials ); - } - } -+ -+ -+ /** -+ * Compare two byte[] in a constant time. This is necessary because using an Array.equals() is -+ * not Timing attack safe ([1], [2] and [3]), a breach that can be exploited to break some hashes. -+ * -+ * [1] https://en.wikipedia.org/wiki/Timing_attack -+ * [2] http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ -+ * [3] https://cryptocoding.net/index.php/Coding_rules -+ */ -+ private static boolean compareBytes( byte[] provided, byte[] stored ) -+ { -+ if ( stored == null ) -+ { -+ return provided == null; -+ } -+ else if ( provided == null ) -+ { -+ return false; -+ } -+ -+ // Now, compare the two passwords, using a constant time method -+ if ( stored.length != provided.length ) -+ { -+ return false; -+ } -+ -+ // loop on *every* byte in both passwords, and at the end, if one char at least is different, return false. -+ int result = 0; -+ -+ for ( int i = 0; i < stored.length; i++ ) -+ { -+ // If both bytes are equal, xor will be == 0, otherwise it will be != 0 and so will result. -+ result |= ( stored[i] ^ provided[i] ); -+ } -+ -+ return result == 0; -+ } - - - /** diff --git a/debian/patches/series b/debian/patches/series index 18a851d..da693f0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ 01-jar-packaging.patch -02-CVE-2015-3250.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/apache-directory-api.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits