[Rt-commit] rt branch 5.0.2-releng updated. rt-5.0.2beta1-29-g2427aee24e

BPS Git Server git at git.bestpractical.com
Tue Sep 14 21:23:07 UTC 2021 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 5.0.2-releng has been updated
       via  2427aee24e72ecd5d246edff1400f4daf228dd96 (commit)
       via  15707a38094da49e23559d6cd822abff1521c373 (commit)
       via  70749bb66cb13dd70bd53340c371038a5f3ca57c (commit)
       via  5113dc6350fec859f21f6471534b289261a573e4 (commit)
      from  92ff0e37a080ad3746a5fb8d0c63fddc7328c8bc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2427aee24e72ecd5d246edff1400f4daf228dd96
Merge: 92ff0e37a0 15707a3809
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Wed Sep 15 05:13:01 2021 +0800

    Merge branch 'security/5.0.2-releng' into 5.0.2-releng


commit 15707a38094da49e23559d6cd822abff1521c373
Merge: 802ae10046 70749bb66c
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Thu Aug 12 06:03:27 2021 +0800

    Merge branch 'security/5.0/timing-side-channel' into security/5.0.2-releng


commit 70749bb66cb13dd70bd53340c371038a5f3ca57c
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Thu Aug 12 05:03:16 2021 +0800

    Always check password to avoid timing side channel attacks in REST2 basic auth
    
    This addresses CVE-2021-38562.

diff --git a/lib/RT/REST2/Middleware/Auth.pm b/lib/RT/REST2/Middleware/Auth.pm
index cb04790385..4fdc7469c8 100644
--- a/lib/RT/REST2/Middleware/Auth.pm
+++ b/lib/RT/REST2/Middleware/Auth.pm
@@ -132,10 +132,19 @@ sub login_from_basicauth {
         my($user, $pass) = split /:/, (MIME::Base64::decode($1) || ":"), 2;
         my $cu = RT::CurrentUser->new;
         $cu->Load($user);
+
+        # Load the RT system user as well to avoid timing side channel
+        my $system_user = RT::CurrentUser->new();
+        $system_user->Load(1);    # User with ID 1 should always exist!
+
         if ($cu->id and $cu->IsPassword($pass)) {
             return $cu;
         }
         else {
+            if (!$cu->id) {
+                # Avoid timing side channel... always run IsPassword
+                $system_user->IsPassword($pass);
+            }
             RT->Logger->info("Failed login for $user");
             return;
         }

commit 5113dc6350fec859f21f6471534b289261a573e4
Author: Dianne Skoll <dianne at bestpractical.com>
Date:   Fri Jan 15 09:15:20 2021 -0500

    Always check password to avoid timing side channel attacks on login page
    
    This addresses CVE-2021-38562.

diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
index 859ceacd40..9e18df4afa 100644
--- a/lib/RT/Interface/Web.pm
+++ b/lib/RT/Interface/Web.pm
@@ -842,10 +842,18 @@ sub AttemptPasswordAuthentication {
     my $user_obj = RT::CurrentUser->new();
     $user_obj->Load( $ARGS->{user} );
 
+    # Load the RT system user as well to avoid timing side channel
+    my $system_user = RT::CurrentUser->new();
+    $system_user->Load(1);    # User with ID 1 should always exist!
+
     my $m = $HTML::Mason::Commands::m;
 
     my $remote_addr = RequestENV('REMOTE_ADDR');
     unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
+        if (!$user_obj->id) {
+            # Avoid timing side channel... always run IsPassword
+            $system_user->IsPassword( $ARGS->{pass} );
+        }
         $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $remote_addr");
         $m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' );
         return (0, HTML::Mason::Commands::loc('Your username or password is incorrect'));
diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index a83b00ac6e..5c794cb5cb 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -1237,15 +1237,18 @@ sub IsPassword {
     }
 
    if ( $self->PrincipalObj->Disabled ) {
+        # Run the bcrypt generator to avoid timing side-channel attacks
+        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
         $RT::Logger->info(
             "Disabled user " . $self->Name . " tried to log in" );
         return (undef);
     }
 
     unless ($self->HasPassword) {
-        return(undef);
-     }
-
+        # Run the bcrypt generator to avoid timing side-channel attacks
+        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
+        return undef;
+    }
     my $stored = $self->__Value('Password');
     if ($stored =~ /^!/) {
         # If it's a new-style (>= RT 4.0) password, it starts with a '!'

-----------------------------------------------------------------------

Summary of changes:
 lib/RT/Interface/Web.pm         | 8 ++++++++
 lib/RT/REST2/Middleware/Auth.pm | 9 +++++++++
 lib/RT/User.pm                  | 9 ++++++---
 3 files changed, 23 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
rt

More information about the rt-commit mailing list