Debian Bug report logs - #700226
ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

version graph

Package: src:ruby-rack; Maintainer for src:ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 9 Feb 2013 13:18:02 UTC

Severity: grave

Tags: security

Fixed in version 1.4.1-2.1

Done: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack. (Sat, 09 Feb 2013 13:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sat, 09 Feb 2013 13:18:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Date: Sat, 09 Feb 2013 14:15:34 +0100
Source: ruby-rack
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for ruby-rack.

CVE-2013-0262[0]:
Path sanitization information disclosure

CVE-2013-0263[1]:
Timing attack in cookie sessions

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Patches/upstream commits are referenced in the security tracker.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-0262
[1] http://security-tracker.debian.org/tracker/CVE-2013-0263

Please adjust the affected versions in the BTS as needed.

Note: According to the red hat bugtracker for CVE-2013-0262 only
      versions after 1.4.x are affected, for CVE-2013-0263 all previous
      versions. Could you please double check this, and mark
      accordingly?

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack. (Sun, 10 Feb 2013 02:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 10 Feb 2013 02:18:03 GMT) Full text and rfc822 format available.

Message #10 received at 700173@bugs.debian.org (full text, mbox):

From: Satoru KURASHIKI <lurdan@gmail.com>
To: 700173@bugs.debian.org
Subject: Re: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Date: Sun, 10 Feb 2013 11:14:50 +0900
hi,

> For further information see:

> [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> [1] http://security-tracker.debian.org/tracker/CVE-2013-0263

> Please adjust the affected versions in the BTS as needed.

> Note: According to the red hat bugtracker for CVE-2013-0262 only
>       versions after 1.4.x are affected, for CVE-2013-0263 all previous
>       versions. Could you please double check this, and mark
>       accordingly?

With a quick look:

the code which raises CVE-2013-0262 (calculate path depth sequentially)
was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
affected.

the code which raises CVE-2013-0263 (needs time string comparison)
also affects stable version:
https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49

This bts would have better to be split?

regards,
-- 
KURASHIKI Satoru



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack. (Sun, 10 Feb 2013 07:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 10 Feb 2013 07:51:04 GMT) Full text and rfc822 format available.

Message #15 received at 700173@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Satoru KURASHIKI <lurdan@gmail.com>, 700173@bugs.debian.org
Subject: Re: Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Date: Sun, 10 Feb 2013 08:49:05 +0100
Control: clone -1 -2
Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information disclosure
Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Hi

On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote:
> hi,
> 
> > For further information see:
> 
> > [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
> 
> > Please adjust the affected versions in the BTS as needed.
> 
> > Note: According to the red hat bugtracker for CVE-2013-0262 only
> >       versions after 1.4.x are affected, for CVE-2013-0263 all previous
> >       versions. Could you please double check this, and mark
> >       accordingly?
> 
> With a quick look:
> 
> the code which raises CVE-2013-0262 (calculate path depth sequentially)
> was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
> affected.
> 
> the code which raises CVE-2013-0263 (needs time string comparison)
> also affects stable version:
> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
> 
> This bts would have better to be split?

thanks for the analysis! I'm cloning the bug and retitling both
accordingly so that both CVE's can be tracked in separate bugs.

Regards,
Salvatore



Bug 700173 cloned as bug 700226 Request was from Salvatore Bonaccorso <carnil@debian.org> to 700173-submit@bugs.debian.org. (Sun, 10 Feb 2013 07:51:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'ruby-rack: CVE-2013-0263: Timing attack in cookie sessions' from 'ruby-rack: CVE-2013-0262 and CVE-2013-0263' Request was from Salvatore Bonaccorso <carnil@debian.org> to 700173-submit@bugs.debian.org. (Sun, 10 Feb 2013 07:51:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700226; Package src:ruby-rack. (Mon, 11 Feb 2013 04:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 11 Feb 2013 04:27:05 GMT) Full text and rfc822 format available.

Message #24 received at 700226@bugs.debian.org (full text, mbox):

From: Satoru KURASHIKI <lurdan@gmail.com>
To: team@security.debian.org
Cc: 700226@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, pkg-ruby-extras-maintainers@lists.alioth.debian.org
Subject: Re: Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Date: Mon, 11 Feb 2013 13:24:42 +0900
hi,
(CC: pkg-ruby-extras-maintainers)

I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
librack-ruby),
and acknowledged about preparing NMU for this bug.

Please audit this patch, after that I will prepare NMU for squeeze.
(and after that t-p-u, unstable, ...)

On Sun, Feb 10, 2013 at 4:49 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:

>> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263

>> the code which raises CVE-2013-0263 (needs time string comparison)
>> also affects stable version:
>> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49

This issue was already fixed in upstream HEAD, so I backport that commit with
file adjustment for old code base.

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

prepared patch as follows:

--- a/lib/rack/session/cookie.rb        2013-02-11 01:54:07.291302061 +0000
+++ b/lib/rack/session/cookie.rb        2013-02-11 01:55:10.135303555 +0000
@@ -46,7 +46,7 @@

         if @secret && session_data
           session_data, digest = session_data.split("--")
-          session_data = nil  unless digest == generate_hmac(session_data)
+          session_data = nil  unless
Rack::Utils.secure_compare(digest, generate_hmac(session_data))
         end

         begin
--- a/lib/rack/utils.rb 2013-02-11 01:55:45.791304402 +0000
+++ b/lib/rack/utils.rb 2013-02-11 01:56:43.395305772 +0000
@@ -234,6 +234,18 @@
     end
     module_function :bytesize

+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which
--- a/test/spec_rack_utils.rb   2013-02-11 01:57:17.383306580 +0000
+++ b/test/spec_rack_utils.rb   2013-02-11 01:58:12.775307896 +0000
@@ -205,6 +205,11 @@
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end

+  specify "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   specify "should return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

regards,
-- 
KURASHIKI Satoru



Reply sent to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>:
You have taken responsibility. (Wed, 27 Feb 2013 23:00:03 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 27 Feb 2013 23:00:03 GMT) Full text and rfc822 format available.

Message #29 received at 700226-done@bugs.debian.org (full text, mbox):

From: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
To: 700226-done@bugs.debian.org
Subject: Re: ruby-rack: CVE-2013-0263: Timing attack in cookie sessions
Date: Thu, 28 Feb 2013 07:56:52 +0900
Source: ruby-rack
Version: 1.4.1-2.1

Hi,

This bug was closed in 1.4.1-2.1.

Best regards,
  Nobuhiro

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700226; Package src:ruby-rack. (Thu, 07 Mar 2013 11:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 07 Mar 2013 11:21:05 GMT) Full text and rfc822 format available.

Message #34 received at 700226@bugs.debian.org (full text, mbox):

From: Satoru KURASHIKI <lurdan@gmail.com>
To: team@security.debian.org
Cc: 700226@bugs.debian.org, 698440@bugs.debian.org, pkg-ruby-extras-maintainers@lists.alioth.debian.org
Subject: Re: Bug#700173: ruby-rack: CVE-2013-0262 and CVE-2013-0263
Date: Thu, 7 Mar 2013 20:17:52 +0900
[Message part 1 (text/plain, inline)]
dear security team,

On Mon, Feb 11, 2013 at 1:24 PM, Satoru KURASHIKI <lurdan@gmail.com> wrote:
> I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
> librack-ruby),
> and acknowledged about preparing NMU for this bug.
>
> Please audit this patch, after that I will prepare NMU for squeeze.
> (and after that t-p-u, unstable, ...)

I've created a NMU debdiff for stable, which includes these fixes:
#698440 (CVE-2013-0184)
#700226 (CVE-2013-0263)

These are already applied in unstable/testing.

Please consider to update stable version of librack-ruby with
attached debdiff to close those CVE issues.

regards,
-- 
KURASHIKI Satoru
[librack-ruby_s-p-u.debdiff (application/octet-stream, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Apr 2013 07:26:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 19:45:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.