Bug 13165 - perl-Authen-Captcha new security issue fixed in 1.024
: perl-Authen-Captcha new security issue fixed in 1.024
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/593608/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-04-07 23:46 CEST by David Walser
Modified: 2014-04-09 07:31 CEST (History)
3 users (show)

See Also:
Source RPM: perl-Authen-Captcha-1.23.0-3.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-04-07 23:46:15 CEST
Fedora has issued an advisory on March 28:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html

Mageia 3 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 Jerome Quelin 2014-04-08 09:13:24 CEST
packages available:
- perl-Authen-Captcha-1.24.0-1.mga3
- perl-Authen-Captcha-1.24.0-1.mga4

please validate & push.
Comment 2 claire robinson 2014-04-08 09:29:56 CEST
We'll need much more info to be able to do so I'm afraid Jerome.
Comment 3 Jerome Quelin 2014-04-08 09:55:45 CEST
Ok, here's a way to validate:

** before:
$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  c0a7f3581049f2b0f9e3d5942e80944f
file: c0a7f3581049f2b0f9e3d5942e80944f

==> the 2 lines are the same (filename is the same as md5 sum of the code)

** after:
$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  83f989dd820bb3683ef6ff6b2bc7fd68
file: 69a8588b5d255cd4682b13b058b295b0

==> the filename is now different from the code md5


** advisory

===========================
An issue in previous versions of perl-Authen-Captcha is that the generated public string (file name of the picture) for the captcha is merely a checksum of the secret string. It is trivial to break such short strings even using google instead of a rainbow table.
This new version of perl-Authen-Captcha fixes the problem by producing a random filename for the captcha.
===========================
Comment 4 claire robinson 2014-04-08 10:05:58 CEST
Thanks Jerome, that's great :)
Comment 5 claire robinson 2014-04-08 16:17:33 CEST
Testing complete mga4 64

Is there a CVE for this? David do you want to add any refs etc to the advisory?

Before
------
$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  202d4eac55a158965f90468b35d0d9e1
file: 202d4eac55a158965f90468b35d0d9e1

After
-----
There is an added require of perl-String-Random

# urpmi perl-Authen-Captcha
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  perl-String-Random             0.220.0      3.mga4        noarch  
(medium "Core Updates Testing")
  perl-Authen-Captcha            1.24.0       1.mga4        noarch  
26KB of additional disk space will be used.
112KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y

$ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5:  " . md5_hex($c);say "file: $t"'
md5:  3c9d69741f38a95eebf16bacc6c718fb
file: 7adb03011a3636765f228afaaac03134
Comment 6 David Walser 2014-04-08 16:19:39 CEST
No CVE listed by Fedora, and I'm not aware of one.

The Fedora advisory itself should be in the References, I don't have any others:
https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html
Comment 7 claire robinson 2014-04-08 16:22:45 CEST
OK thanks.

Testing complete mga4 32. Testing the rest shortly
Comment 8 claire robinson 2014-04-08 16:36:11 CEST
Testing complete mga3 32 & 64

Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 9 Damien Lallement 2014-04-09 07:31:20 CEST
http://advisories.mageia.org/MGASA-2014-0167.html

Note You need to log in before you can comment on or make changes to this bug.