From fa839232a5ee1188d6054627ade4a8dc709cfcc3 Mon Sep 17 00:00:00 2001 From: liyuxiang Date: Tue, 11 Oct 2022 15:35:21 +0800 Subject: [PATCH] CVE-2021-34337 --- CVE-2021-34337.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++ mailman.spec | 8 ++++++-- 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 CVE-2021-34337.patch diff --git a/CVE-2021-34337.patch b/CVE-2021-34337.patch new file mode 100644 index 0000000..11d0194 --- /dev/null +++ b/CVE-2021-34337.patch @@ -0,0 +1,44 @@ +From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001 +From: Kunal Mehta +Date: Tue, 8 Jun 2021 00:54:14 -0400 +Subject: [PATCH] Check the REST API password in a way that is resistant to + timing attacks (CVE-2021-34337) + +Using basic string equality is vulnerable to timing attacks as it will +short circuit at the first wrong character. Using hmac.compare_digest +avoids that issue and will take the same time, regardless of whether +the value is correct or not. + +This is only exploitable if an attacker can talk directly to the +REST API, which by default is bound to localhost. + +Fixes #911. +--- + src/mailman/rest/wsgiapp.py | 4 +++- + 1 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py +index 14d9a4e03..ab5be448d 100644 +--- a/src/mailman/rest/wsgiapp.py ++++ b/src/mailman/rest/wsgiapp.py +@@ -18,6 +18,7 @@ + """Basic WSGI Application object for REST server.""" + + import re ++import hmac + import logging + + from base64 import b64decode +@@ -55,7 +56,8 @@ class Middleware: + credentials = b64decode(request.auth[6:]).decode('utf-8') + username, password = credentials.split(':', 1) + if (username == config.webservice.admin_user and +- password == config.webservice.admin_pass): ++ hmac.compare_digest( ++ password, config.webservice.admin_pass)): + authorized = True + if not authorized: + # Not authorized. +-- +GitLab + diff --git a/mailman.spec b/mailman.spec index f46de62..c12119a 100644 --- a/mailman.spec +++ b/mailman.spec @@ -7,7 +7,7 @@ Name: mailman Version: 3.3.2 -Release: 7 +Release: 8 Epoch: 3 Summary: The GNU mailing list manager License: GPLv3 @@ -30,6 +30,7 @@ Patch16: mailman3-test_as_string_python_bug_27321.patch Patch17: 0001-fix-tests-assertion-error.patch #Refer: https://gitlab.com/mailman/mailman/-/issues/964#note_1001855903 Patch18: support-sqlalchemy-1-4.patch +Patch19: CVE-2021-34337.patch BuildArch: noarch BuildRequires: glibc-langpack-en BuildRequires: python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools @@ -45,7 +46,7 @@ Requires: python%{python3_pkgversion}-dns >= 1.14.0 Requires: python%{python3_pkgversion}-falcon >= 1.0.0 Requires: python%{python3_pkgversion}-flufl.bounce Requires: python%{python3_pkgversion}-flufl.i18n >= 2.0.1 -Requires: python%{python3_pkgversion}-flufl.lock >= 3.1 +#Requires: python%{python3_pkgversion}-flufl.lock >= 3.1 Requires: python%{python3_pkgversion}-gunicorn python%{python3_pkgversion}-lazr.config Requires: python%{python3_pkgversion}-passlib >= 1.6.0 Requires: python%{python3_pkgversion}-requests @@ -211,6 +212,9 @@ done %{_datadir}/selinux/*/mailman3.pp %changelog +* Sun Oct 09 2022 liyuxiang - 3:3.3.2-8 +- fix CVE-2021-34337 + * Thu Jul 07 2022 wangkai - 3:3.3.2-7 - Silence sqlalchemy-1.4 warning -- Gitee