Bug 2355663 (CVE-2024-13939)

Summary: CVE-2024-13939 String-Compare-ConstantTime: String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in String::Compare::ConstantTime for Perl through 0.321, which is vulnerable to timing attacks. This vulnerability allows an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different because equals returns false right away, the size of the secret string may be leaked (but not its contents)." This issue is similar to CVE-2020-36829.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2355705, 2355704    
Bug Blocks:    

Description OSIDB Bzimport 2025-03-28 03:01:41 UTC 
String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string.

As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)."

This is similar to CVE-2020-36829
Comment 2 Petr Pisar 2025-03-28 12:00:04 UTC 
I think this is not bug because it's a documented behavior. Though I understand that it's desirable to improve the code to remove that problematic feature.
Comment 3 Petr Pisar 2025-04-01 15:09:35 UTC 
I sent a fix upstream <https://github.com/hoytech/String-Compare-ConstantTime/pull/21>.
Comment 4 Fedora Update System 2025-04-17 19:01:23 UTC 
FEDORA-2025-ce51c124a5 (perl-String-Compare-ConstantTime-0.321-22.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Fedora Update System 2025-04-17 19:33:29 UTC 
FEDORA-2025-e6f5710dba (perl-String-Compare-ConstantTime-0.321-19.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2025-04-17 19:48:00 UTC 
FEDORA-2025-5d61874568 (perl-String-Compare-ConstantTime-0.321-21.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.