Bug#861514: marked as done (radicale: htpasswd authentication vulnerable to timing-based bruteforce attacks)

Sun, 30 Apr 2017 00:51:38 -0700 

Your message dated Sun, 30 Apr 2017 07:48:48 +0000
with message-id <e1d4jb6-000ckk...@fasolo.debian.org>
and subject line Bug#861514: fixed in radicale 1.1.1+20160115-4
has caused the Debian Bug report #861514,
regarding radicale: htpasswd authentication vulnerable to timing-based 
bruteforce attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861514: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861514
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: radicale
Version: 2.0.0~rc1-1
Severity: grave
Tags: security patch
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Upstream has issued a security release:

> Add a random timer to avoid timing oracles and simple bruteforce
> attacks when using the htpasswd authentication method.

Actual patch:

commit 190b1dd795f0c552a4992445a231da760211183b
Author: Guillaume Ayoub <guillaume.ay...@kozea.fr>
Date:   Wed Apr 19 14:02:51 2017 +0200

    Random timer to avoid timing oracles and simple bruteforce attacks
    
    Important note: this is a security fix.

diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py
index 2c73f23..7cd7342 100644
- --- a/radicale/auth/htpasswd.py
+++ b/radicale/auth/htpasswd.py
@@ -56,7 +56,8 @@ following significantly more secure schemes are parsable by 
Radicale:
 import base64
 import hashlib
 import os
- -
+import random
+import time
 
 from .. import config
 
@@ -161,7 +162,10 @@ def is_authenticated(user, password):
             if strippedline:
                 login, hash_value = strippedline.split(":")
                 if login == user:
- -                    # Allow encryption method to be overridden at runtime.
- -                    return _verifuncs[ENCRYPTION](hash_value, password)
+                    if _verifuncs[ENCRYPTION](hash_value, password):
+                        # Allow encryption method to be overridden at runtime.
+                        return True
+    # Random timer to avoid timing oracles and simple bruteforce attacks
+    time.sleep(1 + random.random())
     return False
 


 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkFFlgACgkQLHwxRsGg
ASGQqQ//R1opffxilx3a60NOJffpD/2LCp0jecAd2hVeeTIwI8BcwEg4nY8jpCXo
6z7Y2ay758etRyJ54Jwga53PKqijHFrtLhL+oUyPebtMfWqtoR5cZhTvD9IC4GFP
bqK4ZVsop9lyvjD9+TdGAAL3/4FsQnYJctYvbWoTcSr+BcAvgmSgarxGiCr/jw2Z
iCMSi/0bcBoG4j19BrrAydP/l06yC5t8Mee3UmpswTNL3bTVqXN/zT81koy9m08a
1R9bKcggwQCQNtYXXtKkS545NuXdePpAoCo4ss67GjgwQoEua+GIMbR0KOLsGQoy
Fg7Nlc/a/UzZLy1OZgLSOV6Y5QvJHcNJY1hTGiKihgLI4uUso+wJbTMvrJhxlrQ3
IgzgKFqnySwLkxkXlA12pJK5pQL3kfxwXwf9otgOfsXcod9eMwuweLC088y3KXxN
ooNSxiJsFPoUU1C4oNczA/W+/O0EIZcYu4E9H9F9pR1SC3/YXylPySOUo6kVTRzf
Ggi+gSJE6pg5QmKLUqTV44RARSwaUbH8jVaS1SPZWIa+fzzbcIZmBF3ZKfA17ddk
k1bHHkVDtsQs7vn7l4ahQHR0izkciU8VkkUL3AFvtIv8PvhJtxpWihc8ewLVfoyC
Aej4omZuxTT3kXbO4aAkzeuKnsyTa20CRHNE6MHQUCVEHw6cN4U=
=HguT
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: radicale
Source-Version: 1.1.1+20160115-4

We believe that the bug you reported is fixed in the latest version of
radicale, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <d...@jones.dk> (supplier of updated radicale package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 30 Apr 2017 09:14:16 +0200
Source: radicale
Binary: radicale python-radicale python3-radicale
Architecture: source
Version: 1.1.1+20160115-4
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <d...@jones.dk>
Changed-By: Jonas Smedegaard <d...@jones.dk>
Description:
 python-radicale - simple calendar and addressbook server - python2 module
 python3-radicale - simple calendar and addressbook server - python3 module
 radicale   - simple calendar and addressbook server - daemon
Closes: 861514
Changes:
 radicale (1.1.1+20160115-4) unstable; urgency=high
 .
   * Add patch cherry-picked upstream to fix Python3 compatibility of
     ssha part of htpasswd.
   * Add patch cherry-picked upstream to fix security bug: Add delay in
     htpasswd authentication.
     Closes: Bug#861514.
Checksums-Sha1:
 1f0632d8a95f71ddc4d76aeee1f2d4561ac8e758 2304 radicale_1.1.1+20160115-4.dsc
 3010489685a259cc8c6011157e45be6f31f48cf3 24936 
radicale_1.1.1+20160115-4.debian.tar.xz
 4c5d5716622322ebb7a06159c2797cc9461436a4 8469 
radicale_1.1.1+20160115-4_amd64.buildinfo
Checksums-Sha256:
 8035b87358fff93251e9dcb0fd430aa5a715bd420e762981e69a55f01e61e6f5 2304 
radicale_1.1.1+20160115-4.dsc
 65daa297f1a8a5deadbf44eb0af82dfaaba21c683d4f9084e7043db6d4eff3b3 24936 
radicale_1.1.1+20160115-4.debian.tar.xz
 5a171798d516070373a7de99a23e9911aee93469debbf609697d6becee5deba4 8469 
radicale_1.1.1+20160115-4_amd64.buildinfo
Files:
 cfb58bf3abcb51508a87406afb213ec3 2304 web optional 
radicale_1.1.1+20160115-4.dsc
 0641b73a7a4cb84724050ab399c92e6f 24936 web optional 
radicale_1.1.1+20160115-4.debian.tar.xz
 e6daa07337bfca7416a27a3d419010ba 8469 web optional 
radicale_1.1.1+20160115-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlkFkcsACgkQLHwxRsGg
ASGTrQ/7Bd6IEh4iRbUeSoXBY7aPd+Ob34zKH1nrjUuN5GOm1gOyf4WYNbt5fNwT
I6Fqc8NJJa0OTcqwBx62r9RNeeYNQeqcTpH8Nb3rbDRuCL3TyXlVULFSoHDOC/B4
Co91rEmrjZ3MI+HDCKOxCs6Ifh2w4XrX/0jAWpwdXlCZ4I9vPTMcrDEDy64p8Qwx
s2IkvKOGRsthRTCW1dG1dxjXlIG0KWgz5ddbgz2+xStTQ10YHxoCUInC18j3BVOY
TzBxC48FKwT5b75jd+nyv3o2d73IbWKmHCn4LleHHVJDRgSWkweMlQFi/BeS2gOU
KMPTVAPh3LKEpEeQ9hzxxWEdXwys0UrgYHBvgoERN8May37YNwMwse1J0O73CIZz
xkNiSbOAKXUZLQ9xUkBCzvstxeXkmQ6Hx8mlpBv732ZcaCpVgXXwOXmLls77kQvW
0gzn0RbWo/I4Y0IKRDfFsOzoDbOVXHSdJBz/7SXcx4xKbirtj9lSnmeY9zzvitEt
z+qeKSenE69B5Q9pZiCRmkIpF+BRTHUhULoBdioY5HB5qJC+AtzTYvuTb+e8vj40
TPrg/egkvWzzw6Nb9vIkH1I3r4DsQTrX/M2lSVe+ZcKUTKKEAQfe3crYls8lyWgz
La1mO2NJF+ssClkSGG4wI2ZYilNuJzn2uLAzoR+YeiafI6Bf/mA=
=ucvL
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to