--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package request-tracker4/4.2.8-3+deb8u3
- From: Dominic Hargreaves <dom@earth.li>
- Date: Sat, 26 Aug 2017 12:41:25 +0100
- Message-id: <20170826114125.31680.63806.reportbug@themisto.larted.org.uk>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
A regression was discovered in the latest security patch update for
RT which can cause incorrect UTF-8 encoded passwords to cause an
application error. This is not in itself considered a security
problem.
The attached debdiff applies a patch which has been included in the
official upstream releases including the security fixes.
Thanks for considering!
Dominic.
diff -Nru request-tracker4-4.2.8/debian/changelog request-tracker4-4.2.8/debian/changelog
--- request-tracker4-4.2.8/debian/changelog 2017-06-10 23:25:15.000000000 +0100
+++ request-tracker4-4.2.8/debian/changelog 2017-08-26 00:05:00.000000000 +0100
@@ -1,3 +1,10 @@
+request-tracker4 (4.2.8-3+deb8u3) UNRELEASED; urgency=medium
+
+ * Fix regression in previous security release where incorrect
+ SHA256 passwords could trigger an error
+
+ -- Dominic Hargreaves <dom@earth.li> Sat, 26 Aug 2017 00:04:25 +0100
+
request-tracker4 (4.2.8-3+deb8u2) jessie-security; urgency=high
* Fix FTBFS due to base.pm changes (Closes: #864302)
diff -Nru request-tracker4-4.2.8/debian/.git-dpm request-tracker4-4.2.8/debian/.git-dpm
--- request-tracker4-4.2.8/debian/.git-dpm 2017-06-10 23:24:20.000000000 +0100
+++ request-tracker4-4.2.8/debian/.git-dpm 2017-08-26 00:04:21.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-0585d038ba908af5d49c48ddeb1394b2f3579331
-0585d038ba908af5d49c48ddeb1394b2f3579331
+dc3c256430c25518b42020ae1f85924aeb6930c4
+dc3c256430c25518b42020ae1f85924aeb6930c4
21890d09947710ac3f48ddd306fe5b6a50f5bbe9
21890d09947710ac3f48ddd306fe5b6a50f5bbe9
request-tracker4_4.2.8.orig.tar.gz
diff -Nru request-tracker4-4.2.8/debian/patches/is_password_binary.patch request-tracker4-4.2.8/debian/patches/is_password_binary.patch
--- request-tracker4-4.2.8/debian/patches/is_password_binary.patch 1970-01-01 01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/is_password_binary.patch 2017-08-26 00:04:21.000000000 +0100
@@ -0,0 +1,78 @@
+From dc3c256430c25518b42020ae1f85924aeb6930c4 Mon Sep 17 00:00:00 2001
+From: Shawn M Moore <shawn@bestpractical.com>
+Date: Mon, 10 Jul 2017 11:48:28 -0400
+Subject: Add a "binary" option to opt out of UTF8 encoding
+
+The SHA256 branch of IsPassword generates binary values to compare,
+which may lead to comparing two strings with a different number of
+Unicode characters, even when both strings have 26 octets (since UTF8 is
+a variable-length encoding). This triggers an error in constant_time_eq
+which demands both strings are the same length.
+
+When comparing binary values pass this flag to avoid treating the
+inputs as UTF8.
+
+Patch-Name: is_password_binary.patch
+---
+ lib/RT/User.pm | 2 +-
+ lib/RT/Util.pm | 20 ++++++++++++++++----
+ 2 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index dba5b6f..e8c0be5 100644
+--- a/lib/RT/User.pm
++++ b/lib/RT/User.pm
+@@ -1006,7 +1006,7 @@ sub IsPassword {
+ my $salt = substr($hash, 0, 4, "");
+ return 0 unless RT::Util::constant_time_eq(
+ substr(Digest::SHA::sha256($salt . Digest::MD5::md5(Encode::encode( "UTF-8", $value))), 0, 26),
+- $hash
++ $hash, 1
+ );
+ } elsif (length $stored == 32) {
+ # Hex nonsalted-md5
+diff --git a/lib/RT/Util.pm b/lib/RT/Util.pm
+index 014f232..86e96ad 100644
+--- a/lib/RT/Util.pm
++++ b/lib/RT/Util.pm
+@@ -166,6 +166,9 @@ The two string arguments B<MUST> be of equal length. If the lengths differ,
+ this function will call C<die()>, as proceeding with execution would create
+ a timing vulnerability. Length is defined by characters, not bytes.
+
++Strings that should be treated as binary octets rather than Unicode text
++should pass a true value for the binary flag.
++
+ This code has been tested to do what it claims. Do not change it without
+ thorough statistical timing analysis to validate the changes.
+
+@@ -177,7 +180,7 @@ B<https://en.wikipedia.org/wiki/Timing_attack>
+ =cut
+
+ sub constant_time_eq {
+- my ($a, $b) = @_;
++ my ($a, $b, $binary) = @_;
+
+ my $result = 0;
+
+@@ -191,9 +194,18 @@ sub constant_time_eq {
+ my $a_char = substr($a, $i, 1);
+ my $b_char = substr($b, $i, 1);
+
+- # encode() is set to die on malformed
+- my @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
+- my @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++ my (@a_octets, @b_octets);
++
++ if ($binary) {
++ @a_octets = ord($a_char);
++ @b_octets = ord($b_char);
++ }
++ else {
++ # encode() is set to die on malformed
++ @a_octets = unpack("C*", encode('UTF-8', $a_char, Encode::FB_CROAK));
++ @b_octets = unpack("C*", encode('UTF-8', $b_char, Encode::FB_CROAK));
++ }
++
+ die $generic_error if (scalar @a_octets) != (scalar @b_octets);
+
+ for (my $j = 0; $j < scalar @a_octets; $j++) {
diff -Nru request-tracker4-4.2.8/debian/patches/series request-tracker4-4.2.8/debian/patches/series
--- request-tracker4-4.2.8/debian/patches/series 2017-06-10 23:24:20.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/series 2017-08-26 00:04:21.000000000 +0100
@@ -18,3 +18,4 @@
base-pm-ftbfs.patch
patchset-2017-06-01.patch
patchset-2017-06-01-test-failures.patch
+is_password_binary.patch
--- End Message ---