Bug 909071 (CVE-2013-0263) - CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
Summary: CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0263
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 909085 909087 909088 909091 909092 909093 909094 995669
Blocks: 909084
TreeView+ depends on / blocked
 
Reported: 2013-02-08 07:49 UTC by Kurt Seifried
Modified: 2019-09-29 13:00 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-15 04:19:21 UTC

Attachments (Terms of Use)
Modified patch for rack 1.3.0 (2.04 KB, patch)
2013-02-11 19:53 UTC, Brenton Leanhardt 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Novell 802794 0 None None None 2019-02-18 21:20:44 UTC
Red Hat Product Errata RHSA-2013:0638 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 1.1.2 update 2013-03-12 21:57:36 UTC
Red Hat Product Errata RHSA-2013:0686 0 normal SHIPPED_LIVE Moderate: Subscription Asset Manager 1.2.1 update 2013-03-26 23:16:44 UTC

Description Kurt Seifried 2013-02-08 07:49:07 UTC 
James Tucker (raggi) reports:

CVE: CVE-2013-0263
Software: Rack (rack.github.com)
Type of vulnerability: Timing attack, leading to potential RCE

Vulnerable code:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
Patch:
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

Versions affected: All prior versions.
Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2
Reporter: Ben Murphy

Reference:
http://seclists.org/oss-sec/2013/q1/271
Comment 1 Kurt Seifried 2013-02-08 08:19:54 UTC 
Created rubygem-rack tracking bugs for this issue

Affects: epel-all [bug 909088]
Comment 2 Kurt Seifried 2013-02-08 08:20:34 UTC 
Created rubygem-rack tracking bugs for this issue

Affects: fedora-all [bug 909091]
Comment 6 Brenton Leanhardt 2013-02-11 19:53:25 UTC 
Created attachment 696259 [details]
Modified patch for rack 1.3.0

I had to backport the digest_match? and secure_compare functions.  It's pretty trivial.
Comment 7 John Eckersberg 2013-02-15 18:39:22 UTC 
Upstream commits for rack 1.3 are:

https://github.com/rack/rack/commit/feea59c1abacd455c222bfee67541b1078378929
https://github.com/rack/rack/commit/26c8500e9c49a0e625e1bd8d7158cabdfa2e17ae
Comment 8 errata-xmlrpc 2013-03-12 17:59:20 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0638 https://rhn.redhat.com/errata/RHSA-2013-0638.html
Comment 9 errata-xmlrpc 2013-03-26 19:18:10 UTC 
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.2

Via RHSA-2013:0686 https://rhn.redhat.com/errata/RHSA-2013-0686.html
Comment 10 Fedora Update System 2013-05-07 18:29:03 UTC 
rubygem-rack-1.4.0-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-05-07 18:32:38 UTC 
rubygem-rack-1.4.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Kurt Seifried 2013-07-26 06:21:25 UTC 
The Red Hat Security Response Team has rated this issue as having moderate security impact in CloudForms 1.1. This issue is not currently planned to be addressed in future updates.
Note You need to log in before you can comment on or make changes to this bug.