From 858e7ede1e7c4f64b68781658b5fd79b00938222 Mon Sep 17 00:00:00 2001
From: liyuxiang <liyuxiang@ncti-gba.cn>
Date: Tue, 11 Oct 2022 15:49:39 +0800
Subject: [PATCH] CVE-2021-34337

(cherry picked from commit 2eecd407d6c521bcd82a546a98dc2e819c390a0a)
---
 CVE-2021-34337.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++
 mailman.spec         |  6 +++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-34337.patch

diff --git a/CVE-2021-34337.patch b/CVE-2021-34337.patch
new file mode 100644
index 0000000..11d0194
--- /dev/null
+++ b/CVE-2021-34337.patch
@@ -0,0 +1,44 @@
+From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <legoktm@debian.org>
+Date: Tue, 8 Jun 2021 00:54:14 -0400
+Subject: [PATCH] Check the REST API password in a way that is resistant to
+ timing attacks (CVE-2021-34337)
+
+Using basic string equality is vulnerable to timing attacks as it will
+short circuit at the first wrong character. Using hmac.compare_digest
+avoids that issue and will take the same time, regardless of whether
+the value is correct or not.
+
+This is only exploitable if an attacker can talk directly to the
+REST API, which by default is bound to localhost.
+
+Fixes #911.
+---
+ src/mailman/rest/wsgiapp.py | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py
+index 14d9a4e03..ab5be448d 100644
+--- a/src/mailman/rest/wsgiapp.py
++++ b/src/mailman/rest/wsgiapp.py
+@@ -18,6 +18,7 @@
+ """Basic WSGI Application object for REST server."""
+ 
+ import re
++import hmac
+ import logging
+ 
+ from base64 import b64decode
+@@ -55,7 +56,8 @@ class Middleware:
+             credentials = b64decode(request.auth[6:]).decode('utf-8')
+             username, password = credentials.split(':', 1)
+             if (username == config.webservice.admin_user and
+-                    password == config.webservice.admin_pass):
++                    hmac.compare_digest(
++                        password, config.webservice.admin_pass)):
+                 authorized = True
+         if not authorized:
+             # Not authorized.
+-- 
+GitLab
+
diff --git a/mailman.spec b/mailman.spec
index b8b69da..9a18726 100644
--- a/mailman.spec
+++ b/mailman.spec
@@ -7,7 +7,7 @@
 
 Name:                mailman
 Version:             3.3.2
-Release:             4
+Release:             5
 Epoch:               3
 Summary:             The GNU mailing list manager
 License:             GPLv3
@@ -23,6 +23,7 @@ Patch11:             mailman-subject-prefix.patch
 Patch14:             mailman-use-either-importlib_resources-or-directly-importlib.patch
 Patch15:             fixbuilderror-1.patch
 Patch16:             fixbuilderror-2.patch
+Patch17:	     CVE-2021-34337.patch
 BuildArch:           noarch
 BuildRequires:       glibc-langpack-en
 BuildRequires:       python%{python3_pkgversion}-devel >= 3.5 python%{python3_pkgversion}-setuptools
@@ -204,6 +205,9 @@ done
 %{_datadir}/selinux/*/mailman3.pp
 
 %changelog
+* Sun Oct 09 2022 liyuxiang <liyuxiang@ncti-gba.cn> - 3:3.3.2-5
+- fix CVE-2021-34337
+
 * Thu Jan 13 2022 liwu <liwu13@huawei.com> - 3.3.2-4
 - fix build error