[Rt-commit] rt branch 4.4.5-releng updated. rt-4.4.5beta1-2-gf0ae3f3e40

BPS Git Server git at git.bestpractical.com
Tue Sep 14 20:24:51 UTC 2021 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 4.4.5-releng has been updated
       via  f0ae3f3e4058cba2fe076b462b52dd26dfde561e (commit)
       via  b5a7c9decd5287eef6c763c51803b36d590622bf (commit)
      from  7d5a4b69aeaf95843d110ed2f51f4765bfc83eb0 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f0ae3f3e4058cba2fe076b462b52dd26dfde561e
Merge: 7d5a4b69ae b5a7c9decd
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Sep 15 04:23:18 2021 +0800

    Merge branch 'security/rt-4.4.4' into 4.4.5-releng


commit b5a7c9decd5287eef6c763c51803b36d590622bf
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Thu Aug 12 06:17:40 2021 +0800

    Security patch for CVE-2021-38562

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index b6ccf6ff7e..69eadc2dd2 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -820,10 +820,18 @@ sub AttemptPasswordAuthentication {
     my $user_obj = RT::CurrentUser->new();
     $user_obj->Load( $ARGS->{user} );
 
+    # Load the RT system user as well to avoid timing side channel
+    my $system_user = RT::CurrentUser->new();
+    $system_user->Load(1);    # User with ID 1 should always exist!
+
     my $m = $HTML::Mason::Commands::m;
 
     my $remote_addr = RequestENV('REMOTE_ADDR');
     unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
+        if (!$user_obj->id) {
+            # Avoid timing side channel... always run IsPassword
+            $system_user->IsPassword( $ARGS->{pass} );
+        }
         $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $remote_addr");
         $m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' );
         return (0, HTML::Mason::Commands::loc('Your username or password is incorrect'));
diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 6c4bc08d82..cdc6393b8e 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -1189,15 +1189,18 @@ sub IsPassword {
     }
 
    if ( $self->PrincipalObj->Disabled ) {
+        # Run the bcrypt generator to avoid timing side-channel attacks
+        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
         $RT::Logger->info(
             "Disabled user " . $self->Name . " tried to log in" );
         return (undef);
     }
 
     unless ($self->HasPassword) {
-        return(undef);
-     }
-
+        # Run the bcrypt generator to avoid timing side-channel attacks
+        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
+        return undef;
+    }
     my $stored = $self->__Value('Password');
     if ($stored =~ /^!/) {
         # If it's a new-style (>= RT 4.0) password, it starts with a '!'

-----------------------------------------------------------------------

Summary of changes:
 lib/RT/Interface/Web.pm | 8 ++++++++
 lib/RT/User.pm          | 9 ++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
rt

More information about the rt-commit mailing list