Bug 909071 (CVE-2013-0263)

Summary: CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkabrda, bkearney, bleanhar, ccoleman, cpelland, dajohnso, dmcphers, iboverma, jeckersb, jialiu, jlieskov, jneedle, jomara, katello-bugs, katello-internal, lmeyer, mastahnke, mcressma, mmccune, mmorsi, morazi, mrg-program-list, msuchy, sclewis, tkramer, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-15 04:19:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 909085, 909087, 909088, 909091, 909092, 909093, 909094, 995669    
Bug Blocks: 909084    
Attachments:
Description Flags
Modified patch for rack 1.3.0 none

Description Kurt Seifried 2013-02-08 07:49:07 UTC 
James Tucker (raggi) reports:

CVE: CVE-2013-0263
Software: Rack (rack.github.com)
Type of vulnerability: Timing attack, leading to potential RCE

Vulnerable code:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
Patch:
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

Versions affected: All prior versions.
Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2
Reporter: Ben Murphy

Reference:
http://seclists.org/oss-sec/2013/q1/271
Comment 1 Kurt Seifried 2013-02-08 08:19:54 UTC 
Created rubygem-rack tracking bugs for this issue

Affects: epel-all [bug 909088]
Comment 2 Kurt Seifried 2013-02-08 08:20:34 UTC 
Created rubygem-rack tracking bugs for this issue

Affects: fedora-all [bug 909091]
Comment 6 Brenton Leanhardt 2013-02-11 19:53:25 UTC 
Created attachment 696259 [details]
Modified patch for rack 1.3.0

I had to backport the digest_match? and secure_compare functions.  It's pretty trivial.
Comment 7 John Eckersberg 2013-02-15 18:39:22 UTC 
Upstream commits for rack 1.3 are:

https://github.com/rack/rack/commit/feea59c1abacd455c222bfee67541b1078378929
https://github.com/rack/rack/commit/26c8500e9c49a0e625e1bd8d7158cabdfa2e17ae
Comment 8 errata-xmlrpc 2013-03-12 17:59:20 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0638 https://rhn.redhat.com/errata/RHSA-2013-0638.html
Comment 9 errata-xmlrpc 2013-03-26 19:18:10 UTC 
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
Comment 10 Fedora Update System 2013-05-07 18:29:03 UTC 
rubygem-rack-1.4.0-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-05-07 18:32:38 UTC 
rubygem-rack-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Kurt Seifried 2013-07-26 06:21:25 UTC 
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.