!47 [sync] PR-46: fix CVE-2021-34337

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2022-10-18 01:37:05 +00:00 · 2022-10-18 01:37:05 +00:00 · 46cd6356ed
commit 46cd6356ed
parent f5043cc4e2 858e7ede1e
2 changed files with 49 additions and 1 deletions
--- a/CVE-2021-34337.patch
+++ b/CVE-2021-34337.patch
@ -0,0 +1,44 @@
+From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <legoktm@debian.org>
+Date: Tue, 8 Jun 2021 00:54:14 -0400
+Subject: [PATCH] Check the REST API password in a way that is resistant to
+ timing attacks (CVE-2021-34337)
+
+Using basic string equality is vulnerable to timing attacks as it will
+short circuit at the first wrong character. Using hmac.compare_digest
+avoids that issue and will take the same time, regardless of whether
+the value is correct or not.
+
+This is only exploitable if an attacker can talk directly to the
+REST API, which by default is bound to localhost.
+
+Fixes #911.
+---
+ src/mailman/rest/wsgiapp.py | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py
+index 14d9a4e03..ab5be448d 100644
+--- a/src/mailman/rest/wsgiapp.py
+++ b/src/mailman/rest/wsgiapp.py
+@@ -18,6 +18,7 @@
+ """Basic WSGI Application object for REST server."""
+ 
+ import re
+import hmac
+ import logging
+ 
+ from base64 import b64decode
+@@ -55,7 +56,8 @@ class Middleware:
+             credentials = b64decode(request.auth[6:]).decode('utf-8')
+             username, password = credentials.split(':', 1)
+             if (username == config.webservice.admin_user and
+-                    password == config.webservice.admin_pass):
+                    hmac.compare_digest(
+                        password, config.webservice.admin_pass)):
+                 authorized = True
+         if not authorized:
+             # Not authorized.
+-- 
+GitLab
+
--- a/mailman.spec
+++ b/mailman.spec
@ -7,7 +7,7 @@

 Name:                mailman
 Version:             3.3.2
-Release:             4
+Release:             5
 Epoch:               3
 Summary:             The GNU mailing list manager
 License:             GPLv3
@ -23,6 +23,7 @@ Patch11:             mailman-subject-prefix.patch
 Patch14:             mailman-use-either-importlib_resources-or-directly-importlib.patch
 Patch15:             fixbuilderror-1.patch
 Patch16:             fixbuilderror-2.patch
+Patch17:	     CVE-2021-34337.patch
 BuildArch:           noarch
 BuildRequires:       glibc-langpack-en
 BuildRequires:       python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools
@ -204,6 +205,9 @@ done
 %{_datadir}/selinux/*/mailman3.pp

 %changelog
+* Sun Oct 09 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 3:3.3.2-5
+- fix CVE-2021-34337
+
 * Thu Jan 13 2022 liwu <liwu13@huawei.com> - 3.3.2-4
 - fix build error