Related Vulnerabilities: CVE-2013-0263 CVE-2013-0262 CVE-2013-0184

Source

Debian Bug report logs - #700226
ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Package: src:ruby-rack; Maintainer for src:ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 9 Feb 2013 13:18:02 UTC

Severity: grave

Tags: security

Fixed in version 1.4.1-2.1

Done: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack. (Sat, 09 Feb 2013 13:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sat, 09 Feb 2013 13:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: ruby-rack
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for ruby-rack.

CVE-2013-0262[0]:
Path sanitization information disclosure

CVE-2013-0263[1]:
Timing attack in cookie sessions

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Patches/upstream commits are referenced in the security tracker.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-0262
[1] http://security-tracker.debian.org/tracker/CVE-2013-0263

Please adjust the affected versions in the BTS as needed.

Note: According to the red hat bugtracker for CVE-2013-0262 only
      versions after 1.4.x are affected, for CVE-2013-0263 all previous
      versions. Could you please double check this, and mark
      accordingly?

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack. (Sun, 10 Feb 2013 02:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 10 Feb 2013 02:18:03 GMT) (full text, mbox, link).

Message #10 received at 700173@bugs.debian.org (full text, mbox, reply):

hi,

> For further information see:

> [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> [1] http://security-tracker.debian.org/tracker/CVE-2013-0263

> Please adjust the affected versions in the BTS as needed.

> Note: According to the red hat bugtracker for CVE-2013-0262 only
>       versions after 1.4.x are affected, for CVE-2013-0263 all previous
>       versions. Could you please double check this, and mark
>       accordingly?

With a quick look:

the code which raises CVE-2013-0262 (calculate path depth sequentially)
was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
affected.

the code which raises CVE-2013-0263 (needs time string comparison)
also affects stable version:
https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49

This bts would have better to be split?

regards,
-- 
KURASHIKI Satoru

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Sun, 10 Feb 2013 07:51:04 GMT) (full text, mbox, link).

Message #15 received at 700173@bugs.debian.org (full text, mbox, reply):

Control: clone -1 -2
Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information disclosure
Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Hi

On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote:
> hi,
> 
> > For further information see:
> 
> > [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
> 
> > Please adjust the affected versions in the BTS as needed.
> 
> > Note: According to the red hat bugtracker for CVE-2013-0262 only
> >       versions after 1.4.x are affected, for CVE-2013-0263 all previous
> >       versions. Could you please double check this, and mark
> >       accordingly?
> 
> With a quick look:
> 
> the code which raises CVE-2013-0262 (calculate path depth sequentially)
> was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
> affected.
> 
> the code which raises CVE-2013-0263 (needs time string comparison)
> also affects stable version:
> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
> 
> This bts would have better to be split?

thanks for the analysis! I'm cloning the bug and retitling both
accordingly so that both CVE's can be tracked in separate bugs.

Regards,
Salvatore

Bug 700173 cloned as bug 700226 Request was from Salvatore Bonaccorso <carnil@debian.org> to 700173-submit@bugs.debian.org. (Sun, 10 Feb 2013 07:51:04 GMT) (full text, mbox, link).

Changed Bug title to 'ruby-rack: CVE-2013-0263: Timing attack in cookie sessions' from 'ruby-rack: CVE-2013-0262 and CVE-2013-0263' Request was from Salvatore Bonaccorso <carnil@debian.org> to 700173-submit@bugs.debian.org. (Sun, 10 Feb 2013 07:51:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700226; Package src:ruby-rack. (Mon, 11 Feb 2013 04:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 11 Feb 2013 04:27:05 GMT) (full text, mbox, link).

Message #24 received at 700226@bugs.debian.org (full text, mbox, reply):

hi,
(CC: pkg-ruby-extras-maintainers)

I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
librack-ruby),
and acknowledged about preparing NMU for this bug.

Please audit this patch, after that I will prepare NMU for squeeze.
(and after that t-p-u, unstable, ...)

On Sun, Feb 10, 2013 at 4:49 PM, Salvatore Bonaccorso <carnil@debian.org> wrote:

>> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263

>> the code which raises CVE-2013-0263 (needs time string comparison)
>> also affects stable version:
>> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49

This issue was already fixed in upstream HEAD, so I backport that commit with
file adjustment for old code base.

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

prepared patch as follows:

--- a/lib/rack/session/cookie.rb        2013-02-11 01:54:07.291302061 +0000
+++ b/lib/rack/session/cookie.rb        2013-02-11 01:55:10.135303555 +0000
@@ -46,7 +46,7 @@

         if @secret && session_data
           session_data, digest = session_data.split("--")
-          session_data = nil  unless digest == generate_hmac(session_data)
+          session_data = nil  unless
Rack::Utils.secure_compare(digest, generate_hmac(session_data))
         end

         begin
--- a/lib/rack/utils.rb 2013-02-11 01:55:45.791304402 +0000
+++ b/lib/rack/utils.rb 2013-02-11 01:56:43.395305772 +0000
@@ -234,6 +234,18 @@
     end
     module_function :bytesize

+    # Constant time string comparison.
+    def secure_compare(a, b)
+      return false unless bytesize(a) == bytesize(b)
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+    module_function :secure_compare
+
     # Context allows the use of a compatible middleware at different points
     # in a request handling stack. A compatible middleware must define
     # #context which should take the arguments env and app. The first of which
--- a/test/spec_rack_utils.rb   2013-02-11 01:57:17.383306580 +0000
+++ b/test/spec_rack_utils.rb   2013-02-11 01:58:12.775307896 +0000
@@ -205,6 +205,11 @@
     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
   end

+  specify "should perform constant time string comparison" do
+    Rack::Utils.secure_compare('a', 'a').should.equal true
+    Rack::Utils.secure_compare('a', 'b').should.equal false
+  end
+
   specify "should return status code for integer" do
     Rack::Utils.status_code(200).should.equal 200
   end

regards,
-- 
KURASHIKI Satoru

Reply sent to Nobuhiro Iwamatsu <iwamatsu@nigauri.org>:
You have taken responsibility. (Wed, 27 Feb 2013 23:00:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 27 Feb 2013 23:00:03 GMT) (full text, mbox, link).

Message #29 received at 700226-done@bugs.debian.org (full text, mbox, reply):

Source: ruby-rack
Version: 1.4.1-2.1

Hi,

This bug was closed in 1.4.1-2.1.

Best regards,
  Nobuhiro

-- 
Nobuhiro Iwamatsu
   iwamatsu at {nigauri.org / debian.org}
   GPG ID: 40AD1FA6

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700226; Package src:ruby-rack. (Thu, 07 Mar 2013 11:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 07 Mar 2013 11:21:05 GMT) (full text, mbox, link).

Message #34 received at 700226@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

dear security team,

On Mon, Feb 11, 2013 at 1:24 PM, Satoru KURASHIKI <lurdan@gmail.com> wrote:
> I've contacted Youhei SASAKI (maintainer of ruby-rack, successor of
> librack-ruby),
> and acknowledged about preparing NMU for this bug.
>
> Please audit this patch, after that I will prepare NMU for squeeze.
> (and after that t-p-u, unstable, ...)

I've created a NMU debdiff for stable, which includes these fixes:
#698440 (CVE-2013-0184)
#700226 (CVE-2013-0263)

These are already applied in unstable/testing.

Please consider to update stable version of librack-ruby with
attached debdiff to close those CVE issues.

regards,
-- 
KURASHIKI Satoru

[librack-ruby_s-p-u.debdiff (application/octet-stream, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 05 Apr 2013 07:26:34 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:26:33 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Debian Bug report logs - #700226
ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Vulmon Search

About

Products

Connect

ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Debian Bug report logs - #700226 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions

Vulmon Search

About

Products

Connect

Debian Bug report logs - #700226
ruby-rack: CVE-2013-0263: Timing attack in cookie sessions