Bug 909071 - (CVE-2013-0263) CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130208,repor...
: Security
Depends On: 909088 909085 909087 909091 909092 909093 909094 995669
Blocks: 909084
  Show dependency treegraph
 
Reported: 2013-02-08 02:49 EST by Kurt Seifried
Modified: 2015-08-21 17:18 EDT (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-15 00:19:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Modified patch for rack 1.3.0 (2.04 KB, patch)
2013-02-11 14:53 EST, Brenton Leanhardt
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 802794 None None None Never

  None (edit)
Description Kurt Seifried 2013-02-08 02:49:07 EST
James Tucker (raggi@google.com) reports:

CVE: CVE-2013-0263
Software: Rack (rack.github.com)
Type of vulnerability: Timing attack, leading to potential RCE

Vulnerable code:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
Patch:
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

Versions affected: All prior versions.
Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2
Reporter: Ben Murphy

Reference:
http://seclists.org/oss-sec/2013/q1/271
Comment 1 Kurt Seifried 2013-02-08 03:19:54 EST
Created rubygem-rack tracking bugs for this issue

Affects: epel-all [bug 909088]
Comment 2 Kurt Seifried 2013-02-08 03:20:34 EST
Created rubygem-rack tracking bugs for this issue

Affects: fedora-all [bug 909091]
Comment 6 Brenton Leanhardt 2013-02-11 14:53:25 EST
Created attachment 696259 [details]
Modified patch for rack 1.3.0

I had to backport the digest_match? and secure_compare functions.  It's pretty trivial.
Comment 8 errata-xmlrpc 2013-03-12 13:59:20 EDT
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0638 https://rhn.redhat.com/errata/RHSA-2013-0638.html
Comment 9 errata-xmlrpc 2013-03-26 15:18:10 EDT
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
Comment 10 Fedora Update System 2013-05-07 14:29:03 EDT
rubygem-rack-1.4.0-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-05-07 14:32:38 EDT
rubygem-rack-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Kurt Seifried 2013-07-26 02:21:25 EDT
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.

Note You need to log in before you can comment on or make changes to this bug.