Bug 909071 (CVE-2013-0263) - CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
Summary: CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0263
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 909088 909085 909087 909091 909092 909093 909094 995669
Blocks: 909084
TreeView+ depends on / blocked
 
Reported: 2013-02-08 07:49 UTC by Kurt Seifried
Modified: 2019-09-29 13:00 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-15 04:19:21 UTC


Attachments (Terms of Use)
Modified patch for rack 1.3.0 (2.04 KB, patch)
2013-02-11 19:53 UTC, Brenton Leanhardt
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0638 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 1.1.2 update 2013-03-12 21:57:36 UTC
Novell 802794 None None None 2019-02-18 21:20:44 UTC
Red Hat Product Errata RHSA-2013:0686 normal SHIPPED_LIVE Moderate: Subscription Asset Manager 1.2.1 update 2013-03-26 23:16:44 UTC

Description Kurt Seifried 2013-02-08 07:49:07 UTC
James Tucker (raggi@google.com) reports:

CVE: CVE-2013-0263
Software: Rack (rack.github.com)
Type of vulnerability: Timing attack, leading to potential RCE

Vulnerable code:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
Patch:
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

Versions affected: All prior versions.
Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2
Reporter: Ben Murphy

Reference:
http://seclists.org/oss-sec/2013/q1/271

Comment 1 Kurt Seifried 2013-02-08 08:19:54 UTC
Created rubygem-rack tracking bugs for this issue

Affects: epel-all [bug 909088]

Comment 2 Kurt Seifried 2013-02-08 08:20:34 UTC
Created rubygem-rack tracking bugs for this issue

Affects: fedora-all [bug 909091]

Comment 6 Brenton Leanhardt 2013-02-11 19:53:25 UTC
Created attachment 696259 [details]
Modified patch for rack 1.3.0

I had to backport the digest_match? and secure_compare functions.  It's pretty trivial.

Comment 8 errata-xmlrpc 2013-03-12 17:59:20 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0638 https://rhn.redhat.com/errata/RHSA-2013-0638.html

Comment 9 errata-xmlrpc 2013-03-26 19:18:10 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html

Comment 10 Fedora Update System 2013-05-07 18:29:03 UTC
rubygem-rack-1.4.0-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2013-05-07 18:32:38 UTC
rubygem-rack-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Kurt Seifried 2013-07-26 06:21:25 UTC
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.


Note You need to log in before you can comment on or make changes to this bug.