Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
A regression was discovered in the latest security patch update for RT which can cause incorrect UTF-8 encoded passwords to cause an application error. This is not in itself considered a security problem. The attached debdiff applies a patch which has been included in the official upstream releases including the security fixes. Thanks for considering! Dominic.
diff -Nru request-tracker4-4.4.1/debian/changelog request-tracker4-4.4.1/debian/changelog --- request-tracker4-4.4.1/debian/changelog 2017-07-06 15:10:40.000000000 +0100 +++ request-tracker4-4.4.1/debian/changelog 2017-08-25 23:53:15.000000000 +0100 @@ -1,3 +1,10 @@ +request-tracker4 (4.4.1-3+deb9u3) UNRELEASED; urgency=medium + + * Fix regression in previous security release where incorrect + SHA256 passwords could trigger an error + + -- Dominic Hargreaves <d...@earth.li> Fri, 25 Aug 2017 23:50:45 +0100 + request-tracker4 (4.4.1-3+deb9u2) stretch; urgency=medium * Handle configuration permissions correctly following diff -Nru request-tracker4-4.4.1/debian/.git-dpm request-tracker4-4.4.1/debian/.git-dpm --- request-tracker4-4.4.1/debian/.git-dpm 2017-07-06 11:12:02.000000000 +0100 +++ request-tracker4-4.4.1/debian/.git-dpm 2017-08-25 23:50:44.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -e272152dd37ff075d41052fbe599fb23040bb426 -e272152dd37ff075d41052fbe599fb23040bb426 +6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb +6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb 63ca1094b0eb53bf86eef426b17dc0080a1a1f8e 63ca1094b0eb53bf86eef426b17dc0080a1a1f8e request-tracker4_4.4.1.orig.tar.gz diff -Nru request-tracker4-4.4.1/debian/patches/is_password_binary.patch request-tracker4-4.4.1/debian/patches/is_password_binary.patch --- request-tracker4-4.4.1/debian/patches/is_password_binary.patch 1970-01-01 01:00:00.000000000 +0100 +++ request-tracker4-4.4.1/debian/patches/is_password_binary.patch 2017-08-25 23:50:44.000000000 +0100 @@ -0,0 +1,78 @@ +From 6700f66c21e5baa6b59ef7ac5aed226d9bf96bfb Mon Sep 17 00:00:00 2001 +From: Shawn M Moore <sh...@bestpractical.com> +Date: Mon, 10 Jul 2017 11:48:28 -0400 +Subject: Add a "binary" option to opt out of UTF8 encoding + +The SHA256 branch of IsPassword generates binary values to compare, +which may lead to comparing two strings with a different number of +Unicode characters, even when both strings have 26 octets (since UTF8 is +a variable-length encoding). This triggers an error in constant_time_eq +which demands both strings are the same length. + +When comparing binary values pass this flag to avoid treating the +inputs as UTF8. + +Patch-Name: is_password_binary.patch +--- + lib/RT/User.pm | 2 +- + lib/RT/Util.pm | 20 ++++++++++++++++---- + 2 files changed, 17 insertions(+), 5 deletions(-) + +diff --git a/lib/RT/User.pm b/lib/RT/User.pm +index 0e86d44..3ced5ce 100644 +--- a/lib/RT/User.pm ++++ b/lib/RT/User.pm +@@ -1110,7 +1110,7 @@ sub IsPassword { + my $salt = substr($hash, 0, 4, ""); + return 0 unless RT::Util::constant_time_eq( + substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26), +- $hash ++ $hash, 1 + ); + } elsif (length $stored == 32) { + # Hex nonsalted-md5 +diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm +index 47b1dd2..1a040b9 100644 +--- a/lib/RT/Util.pm ++++ b/lib/RT/Util.pm +@@ -166,6 +166,9 @@ The two string arguments B<MUST> be of equal length. If the lengths differ, + this function will call C<die()>, as proceeding with execution would create + a timing vulnerability. Length is defined by characters, not bytes. + ++Strings that should be treated as binary octets rather than Unicode text ++should pass a true value for the binary flag. ++ + This code has been tested to do what it claims. Do not change it without + thorough statistical timing analysis to validate the changes. + +@@ -177,7 +180,7 @@ B<https://en.wikipedia.org/wiki/Timing_attack> + =cut + + sub constant_time_eq { +- my ($a, $b) = @_; ++ my ($a, $b, $binary) = @_; + + my $result = 0; + +@@ -191,9 +194,18 @@ sub constant_time_eq { + my $a_char = substr($a, $i, 1); + my $b_char = substr($b, $i, 1); + +- # encode() is set to die on malformed +- my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK)); +- my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK)); ++ my (@a_octets, @b_octets); ++ ++ if ($binary) { ++ @a_octets = ord($a_char); ++ @b_octets = ord($b_char); ++ } ++ else { ++ # encode() is set to die on malformed ++ @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK)); ++ @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK)); ++ } ++ + die $generic_error if (scalar @a_octets) != (scalar @b_octets); + + for (my $j = 0; $j < scalar @a_octets; $j++) { diff -Nru request-tracker4-4.4.1/debian/patches/series request-tracker4-4.4.1/debian/patches/series --- request-tracker4-4.4.1/debian/patches/series 2017-07-06 11:12:02.000000000 +0100 +++ request-tracker4-4.4.1/debian/patches/series 2017-08-25 23:50:44.000000000 +0100 @@ -23,3 +23,4 @@ local_site_config_includes.diff patchset-2017-06-01.patch patchset-2017-06-01-test-failures.patch +is_password_binary.patch