Bug 13165 - perl-Authen-Captcha new security issue fixed in 1.024
Summary: perl-Authen-Captcha new security issue fixed in 1.024
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/593608/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-07 23:46 CEST by David Walser
Modified: 2014-04-09 07:31 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Authen-Captcha-1.23.0-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-07 23:46:15 CEST
Fedora has issued an advisory on March 28:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-07 23:46:25 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Jerome Quelin 2014-04-08 09:13:24 CEST
packages available:
- perl-Authen-Captcha-1.24.0-1.mga3
- perl-Authen-Captcha-1.24.0-1.mga4

please validate & push.

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Comment 2 claire robinson 2014-04-08 09:29:56 CEST
We'll need much more info to be able to do so I'm afraid Jerome.
Comment 3 Jerome Quelin 2014-04-08 09:55:45 CEST
Ok, here's a way to validate:

** before:
$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  c0a7f3581049f2b0f9e3d5942e80944f
file: c0a7f3581049f2b0f9e3d5942e80944f

==> the 2 lines are the same (filename is the same as md5 sum of the code)

** after:
$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  83f989dd820bb3683ef6ff6b2bc7fd68
file: 69a8588b5d255cd4682b13b058b295b0

==> the filename is now different from the code md5


** advisory

===========================
An issue in previous versions of perl-Authen-Captcha is that the generated public string (file name of the picture) for the captcha is merely a checksum of the secret string. It is trivial to break such short strings even using google instead of a rainbow table.
This new version of perl-Authen-Captcha fixes the problem by producing a random filename for the captcha.
===========================
Comment 4 claire robinson 2014-04-08 10:05:58 CEST
Thanks Jerome, that's great :)

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 claire robinson 2014-04-08 16:17:33 CEST
Testing complete mga4 64

Is there a CVE for this? David do you want to add any refs etc to the advisory?

Before
------
$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  202d4eac55a158965f90468b35d0d9e1
file: 202d4eac55a158965f90468b35d0d9e1

After
-----
There is an added require of perl-String-Random

# urpmi perl-Authen-Captcha
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  perl-String-Random             0.220.0      3.mga4        noarch  
(medium "Core Updates Testing")
  perl-Authen-Captcha            1.24.0       1.mga4        noarch  
26KB of additional disk space will be used.
112KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y

$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  3c9d69741f38a95eebf16bacc6c718fb
file: 7adb03011a3636765f228afaaac03134

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 6 David Walser 2014-04-08 16:19:39 CEST
No CVE listed by Fedora, and I'm not aware of one.

The Fedora advisory itself should be in the References, I don't have any others:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html
Comment 7 claire robinson 2014-04-08 16:22:45 CEST
OK thanks.

Testing complete mga4 32. Testing the rest shortly

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 8 claire robinson 2014-04-08 16:36:11 CEST
Testing complete mga3 32 & 64

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Damien Lallement 2014-04-09 07:31:20 CEST
http://advisories.mageia.org/MGASA-2014-0167.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.