Debian Bug report logs -
#861514
radicale: CVE-2017-8342: htpasswd authentication vulnerable to timing-based bruteforce attacks
Reported by: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 29 Apr 2017 23:09:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions radicale/1.1.1+20160115-1, radicale/0.9-1, radicale/1.1.1+20160115-3, radicale/2.0.0~rc1-1
Fixed in versions radicale/1.1.1+20160115-4, 2.0.0~rc2-1
Done: Jonas Smedegaard <dr@jones.dk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#861514; Package radicale.
(Sat, 29 Apr 2017 23:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <dr@jones.dk>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org.
(Sat, 29 Apr 2017 23:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: radicale
Version: 2.0.0~rc1-1
Severity: grave
Tags: security patch
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Upstream has issued a security release:
> Add a random timer to avoid timing oracles and simple bruteforce
> attacks when using the htpasswd authentication method.
Actual patch:
commit 190b1dd795f0c552a4992445a231da760211183b
Author: Guillaume Ayoub <guillaume.ayoub@kozea.fr>
Date: Wed Apr 19 14:02:51 2017 +0200
Random timer to avoid timing oracles and simple bruteforce attacks
Important note: this is a security fix.
diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py
index 2c73f23..7cd7342 100644
- --- a/radicale/auth/htpasswd.py
+++ b/radicale/auth/htpasswd.py
@@ -56,7 +56,8 @@ following significantly more secure schemes are parsable by Radicale:
import base64
import hashlib
import os
- -
+import random
+import time
from .. import config
@@ -161,7 +162,10 @@ def is_authenticated(user, password):
if strippedline:
login, hash_value = strippedline.split(":")
if login == user:
- - # Allow encryption method to be overridden at runtime.
- - return _verifuncs[ENCRYPTION](hash_value, password)
+ if _verifuncs[ENCRYPTION](hash_value, password):
+ # Allow encryption method to be overridden at runtime.
+ return True
+ # Random timer to avoid timing oracles and simple bruteforce attacks
+ time.sleep(1 + random.random())
return False
- Jonas
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkFFlgACgkQLHwxRsGg
ASGQqQ//R1opffxilx3a60NOJffpD/2LCp0jecAd2hVeeTIwI8BcwEg4nY8jpCXo
6z7Y2ay758etRyJ54Jwga53PKqijHFrtLhL+oUyPebtMfWqtoR5cZhTvD9IC4GFP
bqK4ZVsop9lyvjD9+TdGAAL3/4FsQnYJctYvbWoTcSr+BcAvgmSgarxGiCr/jw2Z
iCMSi/0bcBoG4j19BrrAydP/l06yC5t8Mee3UmpswTNL3bTVqXN/zT81koy9m08a
1R9bKcggwQCQNtYXXtKkS545NuXdePpAoCo4ss67GjgwQoEua+GIMbR0KOLsGQoy
Fg7Nlc/a/UzZLy1OZgLSOV6Y5QvJHcNJY1hTGiKihgLI4uUso+wJbTMvrJhxlrQ3
IgzgKFqnySwLkxkXlA12pJK5pQL3kfxwXwf9otgOfsXcod9eMwuweLC088y3KXxN
ooNSxiJsFPoUU1C4oNczA/W+/O0EIZcYu4E9H9F9pR1SC3/YXylPySOUo6kVTRzf
Ggi+gSJE6pg5QmKLUqTV44RARSwaUbH8jVaS1SPZWIa+fzzbcIZmBF3ZKfA17ddk
k1bHHkVDtsQs7vn7l4ahQHR0izkciU8VkkUL3AFvtIv8PvhJtxpWihc8ewLVfoyC
Aej4omZuxTT3kXbO4aAkzeuKnsyTa20CRHNE6MHQUCVEHw6cN4U=
=HguT
-----END PGP SIGNATURE-----
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 05:27:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#861514; Package radicale.
(Sun, 30 Apr 2017 05:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 30 Apr 2017 05:33:03 GMT) (full text, mbox, link).
Message #12 received at 861514@bugs.debian.org (full text, mbox, reply):
Hi Jonas,
On Sun, Apr 30, 2017 at 12:40:27AM +0200, Jonas Smedegaard wrote:
> Package: radicale
> Version: 2.0.0~rc1-1
Quickly checked and at least the version in stretch is affected as
well (not done triage on older versions yet). There is a fix for the
1.1.x branch at:
https://github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da760211183b
FTR, I have requested a CVE for this issue via https://cveform.mitre.org
Regards,
Salvatore
Marked as found in versions radicale/1.1.1+20160115-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 05:33:05 GMT) (full text, mbox, link).
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Sun, 30 Apr 2017 07:51:04 GMT) (full text, mbox, link).
Notification sent
to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer.
(Sun, 30 Apr 2017 07:51:04 GMT) (full text, mbox, link).
Message #19 received at 861514-close@bugs.debian.org (full text, mbox, reply):
Source: radicale
Source-Version: 1.1.1+20160115-4
We believe that the bug you reported is fixed in the latest version of
radicale, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861514@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated radicale package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 30 Apr 2017 09:14:16 +0200
Source: radicale
Binary: radicale python-radicale python3-radicale
Architecture: source
Version: 1.1.1+20160115-4
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <dr@jones.dk>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
python-radicale - simple calendar and addressbook server - python2 module
python3-radicale - simple calendar and addressbook server - python3 module
radicale - simple calendar and addressbook server - daemon
Closes: 861514
Changes:
radicale (1.1.1+20160115-4) unstable; urgency=high
.
* Add patch cherry-picked upstream to fix Python3 compatibility of
ssha part of htpasswd.
* Add patch cherry-picked upstream to fix security bug: Add delay in
htpasswd authentication.
Closes: Bug#861514.
Checksums-Sha1:
1f0632d8a95f71ddc4d76aeee1f2d4561ac8e758 2304 radicale_1.1.1+20160115-4.dsc
3010489685a259cc8c6011157e45be6f31f48cf3 24936 radicale_1.1.1+20160115-4.debian.tar.xz
4c5d5716622322ebb7a06159c2797cc9461436a4 8469 radicale_1.1.1+20160115-4_amd64.buildinfo
Checksums-Sha256:
8035b87358fff93251e9dcb0fd430aa5a715bd420e762981e69a55f01e61e6f5 2304 radicale_1.1.1+20160115-4.dsc
65daa297f1a8a5deadbf44eb0af82dfaaba21c683d4f9084e7043db6d4eff3b3 24936 radicale_1.1.1+20160115-4.debian.tar.xz
5a171798d516070373a7de99a23e9911aee93469debbf609697d6becee5deba4 8469 radicale_1.1.1+20160115-4_amd64.buildinfo
Files:
cfb58bf3abcb51508a87406afb213ec3 2304 web optional radicale_1.1.1+20160115-4.dsc
0641b73a7a4cb84724050ab399c92e6f 24936 web optional radicale_1.1.1+20160115-4.debian.tar.xz
e6daa07337bfca7416a27a3d419010ba 8469 web optional radicale_1.1.1+20160115-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkFkcsACgkQLHwxRsGg
ASGTrQ/7Bd6IEh4iRbUeSoXBY7aPd+Ob34zKH1nrjUuN5GOm1gOyf4WYNbt5fNwT
I6Fqc8NJJa0OTcqwBx62r9RNeeYNQeqcTpH8Nb3rbDRuCL3TyXlVULFSoHDOC/B4
Co91rEmrjZ3MI+HDCKOxCs6Ifh4w4XrX/0jAWpwdXlCZ4I9vPTMcrDEDy64p8Qwx
s2IkvKOGRsthRTCW1dG1dxjXlIG0KWgz5ddbgz2+xStTQ10YHxoCUInC18j3BVOY
TzBxC48FKwT5b75jd+nyv3o2d73IbWKmHCn4LleHHVJDRgSWkweMlQFi/BeS2gOU
KMPTVAPh4LKEpEeQ9hzxxWEdXwys0UrgYHBvgoERN8May37YNwMwse1J0O73CIZz
xkNiSbOAKXUZLQ9xUkBCzvstxeXkmQ6Hx8mlpBv732ZcaCpVgXXwOXmLls77kQvW
0gzn0RbWo/I4Y0IKRDfFsOzoDbOVXHSdJBz/7SXcx4xKbirtj9lSnmeY9zzvitEt
z+qeKSenE69B5Q9pZiCRmkIpF+BRTHUhULoBdioY5HB5qJC+AtzTYvuTb+e8vj40
TPrg/egkvWzzw6Nb9vIkH1I3r4DsQTrX/M2lSVe+ZcKUTKKEAQfe3crYls8lyWgz
La1mO2NJF+ssClkSGG4wI2ZYilNuJzn2uLAzoR+YeiafI6Bf/mA=
=ucvL
-----END PGP SIGNATURE-----
Marked as found in versions radicale/1.1.1+20160115-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 08:39:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#861514; Package radicale.
(Sun, 30 Apr 2017 18:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(Sun, 30 Apr 2017 18:24:04 GMT) (full text, mbox, link).
Message #26 received at 861514@bugs.debian.org (full text, mbox, reply):
Hi
This issue has been assigned CVE-2017-8342 via the cveform at MITRE.
Regards,
Slavatore
Changed Bug title to 'radicale: CVE-2017-8342: htpasswd authentication vulnerable to timing-based bruteforce attacks' from 'radicale: htpasswd authentication vulnerable to timing-based bruteforce attacks'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:24:05 GMT) (full text, mbox, link).
Marked as found in versions radicale/0.9-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 19:03:04 GMT) (full text, mbox, link).
No longer marked as found in versions radicale/2.0.0~rc1-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 17 Sep 2017 03:24:38 GMT) (full text, mbox, link).
Marked as found in versions radicale/2.0.0~rc1-1 and reopened.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sun, 17 Sep 2017 03:24:39 GMT) (full text, mbox, link).
Reply sent
to 861514@bugs.debian.org:
You have taken responsibility.
(Sun, 23 Sep 2018 18:57:03 GMT) (full text, mbox, link).
Notification sent
to Jonas Smedegaard <dr@jones.dk>:
Bug acknowledged by developer.
(Sun, 23 Sep 2018 18:57:03 GMT) (full text, mbox, link).
Message #39 received at 861514-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2.0.0~rc2-1
Quoting Jonas Smedegaard (2017-04-30 00:40:27)
> Upstream has issued a security release:
>
> > Add a random timer to avoid timing oracles and simple bruteforce
> > attacks when using the htpasswd authentication method.
This was fixed since 2.0.0~rc2-1.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Oct 2018 07:25:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:09:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon