Skip Menu |

This queue is for tickets about the User-Simple CPAN distribution.

Report information
The Basics
Id: 41583
Status: resolved
Priority: 0/
Queue: User-Simple
People
Owner: Nobody in particular
Requestors: dmn [...] debian.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)
Attachments
signature.asc

History Show all quoted text
  Wed Dec 10 02:00:13 2008 dmn [...] debian.org - Ticket created
Subject: session id: highly predictable and collisions-prone
Date: Wed, 10 Dec 2008 08:59:32 +0200
To: bug-User-Simple [...] rt.cpan.org
From: Damyan Ivanov <dmn [...] debian.org>
Hi Gunnar, I know you'll read this via the Debian channels too, but here it is, documenting the issue also in RT. ----- Forwarded message from "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> ----- From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com> To: Debian Bug Tracking System <submit@bugs.debian.org> X-Mailer: reportbug 3.47 Date: Tue, 09 Dec 2008 23:15:59 +0200 Subject: Bug#508312: libuser-simple-perl: session id: highly predictable and collisions-prone Reply-To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>, 508312@bugs.debian.org Package: libuser-simple-perl Version: 1.40-1 Severity: important Tags: security, patch Session id, computed by this package, is just md5 of unix timestamp at the call moment. Thus, this session id can be simply bruteforced by attacker if he knows user authorizing time approximately. And, this is also means that two happy users that authorize in the same second will have the identical session id. I would suggest adding login and password to timestamp, and only then do md5(...) (can be considered as a simplest patch :)), this approach will fix problems mentioned above. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-rc7jackyf (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libuser-simple-perl depends on: ii libdate-calc-perl 5.4-5+b1 Perl library for accessing dates ii libdbi-perl 1.607-1 Perl5 database interface by Tim Bu ii perl 5.10.0-18 Larry Wall's Practical Extraction libuser-simple-perl recommends no packages. libuser-simple-perl suggests no packages. -- no debconf information Show quoted text
----- End forwarded message ----- What I can add to this is that including the login and the password to the hash seems right. I'd also add a bit of randomness, using rand(). If you don't have time to fix this, please tell me what would be the preferred way, so I can prepare a patch for you. -- dam JabberID: dam@jabber.minus273.org
Download signature.asc
application/pgp-signature 197b

Message body not shown because it is not plain text.

  Wed Dec 10 18:12:17 2008 GWOLF [...] cpan.org - Correspondence added
On Wed Dec 10 02:00:13 2008, dmn@debian.org wrote: Show quoted text
> Hi Gunnar, > > I know you'll read this via the Debian channels too, but here it is, > documenting the issue also in RT.
Ok, if you talk to me as an upstream, I will reply as an upstream would ;-) Only that I won't lose a bit of respect for your work. Show quoted text
> Session id, computed by this package, is just md5 of unix timestamp at > the call moment. Thus, this session id can be simply bruteforced by > attacker if he knows user authorizing time approximately. And, this is > also means that two happy users that authorize in the same second > will have the identical session id. > > I would suggest adding login and password to timestamp, and only then > do > md5(...) (can be considered as a simplest patch :)), this approach > will > fix problems mentioned above.
This is _almost_ true - I also mix in the user ID into the equation (so same-second sessions will not clash). Anyway, I don't know why I didn't add a bit of random to the mix. Adding it now.
  Wed Dec 10 18:12:19 2008 The RT System itself - Status changed from 'new' to 'open'
  Wed Dec 10 18:19:09 2008 GWOLF [...] cpan.org - Correspondence added
Oops. In fact, you are right. The ID is just called to set the row. Anyway, the patch is done, will upload right away. Both to CPAN and to Debian, of course.
  Wed Dec 10 18:49:14 2008 GWOLF [...] cpan.org - Correspondence added
Fixed in 1.42, just uploaded.
  Wed Dec 10 18:49:15 2008 GWOLF [...] cpan.org - Status changed from 'open' to 'resolved'