[Mailman-checkins] [Git][mailman/mailman][master] 2 commits: Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337)

[Abhilash Raj (@maxking) via Mailman-checkins]

Abhilash Raj pushed to branch master at GNU Mailman / Mailman Core


Commits:
e4a39488 by Kunal Mehta at 2021-06-20T23:42:29-07:00
Check the REST API password in a way that is resistant to timing attacks 
(CVE-2021-34337)

Using basic string equality is vulnerable to timing attacks as it will
short circuit at the first wrong character. Using hmac.compare_digest
avoids that issue and will take the same time, regardless of whether
the value is correct or not.

This is only exploitable if an attacker can talk directly to the
REST API, which by default is bound to localhost.

Fixes #911.

- - - - -
8d9c8770 by Abhilash Raj at 2021-06-23T05:34:56+00:00
Merge branch 'rest-password' into 'master'

Check REST API password in a way that prevents timing attacks: CVE-2021-34337

Closes #911

See merge request mailman/mailman!881
- - - - -


2 changed files:

- src/mailman/docs/NEWS.rst
- src/mailman/rest/wsgiapp.py


Changes:

=====================================
src/mailman/docs/NEWS.rst
=====================================
@@ -114,6 +114,11 @@ New Features
 * There is a new ``list:admin:notice:pending`` template for the notice from
   the ``mailman notify`` command.  (Closes #890)
 
+Security
+--------
+* Check the REST API password in a way that is resistant to timing attacks.
+  (CVE-2021-34337, Closes #911)
+
 .. _news-3.3.4:
 
 3.3.4


=====================================
src/mailman/rest/wsgiapp.py
=====================================
@@ -18,6 +18,7 @@
 """Basic WSGI Application object for REST server."""
 
 import re
+import hmac
 import logging
 
 from base64 import b64decode
@@ -55,7 +56,8 @@ class Middleware:
             credentials = b64decode(request.auth[6:]).decode('utf-8')
             username, password = credentials.split(':', 1)
             if (username == config.webservice.admin_user and
-                    password == config.webservice.admin_pass):
+                    hmac.compare_digest(
+                        password, config.webservice.admin_pass)):
                 authorized = True
         if not authorized:
             # Not authorized.



View it on GitLab: 
https://gitlab.com/mailman/mailman/-/compare/24567a18ea4d0eff1305875e6b47874279e4143f...8d9c8770ebc06e8128ec026d34c408cebc6b288f

-- 
View it on GitLab: 
https://gitlab.com/mailman/mailman/-/compare/24567a18ea4d0eff1305875e6b47874279e4143f...8d9c8770ebc06e8128ec026d34c408cebc6b288f
You're receiving this email because of your account on gitlab.com.



_______________________________________________
Mailman-checkins mailing list -- mailman-checkins@python.org
To unsubscribe send an email to mailman-checkins-le...@python.org
https://mail.python.org/mailman3/lists/mailman-checkins.python.org/
Member address: arch...@jab.org