On Fri, Apr 02, 2010 at 10:23:16PM +0200, Moritz Muehlenhoff wrote: > Package: couchdb > Severity: important > Tags: security > > The following advisory was posted to full-disclosure. I don't see > the security implications, can you tell me what property is being > attacked here through the timing attack? > > Cheers, > Moritz
Hello Moritz, I would suggest that you read http://codahale.com/a-lesson-in-timing-attacks/ (from the advisory) for a more in depth description of this vulnerability. The basics are that the function CouchDB was using to verify hashes and passwords was doing byte-by-byte comparisons, returning as soon as it found two bytes that didn't match. This means that a malicious user could time the amount of time it takes the function to respond, figuring out how much of the beginning of their request is valid. Please note that 0.11.0-1, which has a fix for this vulnerability, should be released to unstable this week. Upstream released 0.11.0 about two weeks ago. Cheers, -- Sam Bisbee -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
