| Summary: | perl-Authen-Captcha new security issue fixed in 1.024 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | jquelin, mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/593608/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok | ||
| Source RPM: | perl-Authen-Captcha-1.23.0-3.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-04-07 23:46:15 CEST
David Walser
2014-04-07 23:46:25 CEST
Whiteboard:
(none) =>
MGA3TOO packages available: - perl-Authen-Captcha-1.24.0-1.mga3 - perl-Authen-Captcha-1.24.0-1.mga4 please validate & push. CC:
(none) =>
jquelin We'll need much more info to be able to do so I'm afraid Jerome. Ok, here's a way to validate: ** before: $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: c0a7f3581049f2b0f9e3d5942e80944f file: c0a7f3581049f2b0f9e3d5942e80944f ==> the 2 lines are the same (filename is the same as md5 sum of the code) ** after: $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: 83f989dd820bb3683ef6ff6b2bc7fd68 file: 69a8588b5d255cd4682b13b058b295b0 ==> the filename is now different from the code md5 ** advisory =========================== An issue in previous versions of perl-Authen-Captcha is that the generated public string (file name of the picture) for the captcha is merely a checksum of the secret string. It is trivial to break such short strings even using google instead of a rainbow table. This new version of perl-Authen-Captcha fixes the problem by producing a random filename for the captcha. =========================== Thanks Jerome, that's great :) Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Testing complete mga4 64 Is there a CVE for this? David do you want to add any refs etc to the advisory? Before ------ $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: 202d4eac55a158965f90468b35d0d9e1 file: 202d4eac55a158965f90468b35d0d9e1 After ----- There is an added require of perl-String-Random # urpmi perl-Authen-Captcha To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") perl-String-Random 0.220.0 3.mga4 noarch (medium "Core Updates Testing") perl-Authen-Captcha 1.24.0 1.mga4 noarch 26KB of additional disk space will be used. 112KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: 3c9d69741f38a95eebf16bacc6c718fb file: 7adb03011a3636765f228afaaac03134 Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure mga4-64-ok No CVE listed by Fedora, and I'm not aware of one. The Fedora advisory itself should be in the References, I don't have any others: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html OK thanks. Testing complete mga4 32. Testing the rest shortly Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga4-32-ok mga4-64-ok Testing complete mga3 32 & 64 Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update http://advisories.mageia.org/MGASA-2014-0167.html Status:
NEW =>
RESOLVED |