Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 703316 (CVE-2019-16782)

Summary: dev-ruby/rack-{1.6.12,2.0.8}, dev-ruby/rails-{5.2.4.1,6.0.2.1}: Possible Information Leak / Session Hijack Vulnerability in Rack (CVE-2019-16782)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2019/12/18/2
Whiteboard: B4 [noglsa cve]
Package list:
dev-ruby/rack-1.6.12 dev-ruby/rack-2.0.8 amd64
 Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2019-12-18 19:44:18 UTC 
There is a possible information leak / session hijacking vulnerability
in Rack. This vulnerability has been assigned the CVE identifier
CVE-2019-16782.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     1.6.12, 2.0.8

There's a possible information leak / session hijack vulnerability in
Rack. Attackers may be able to find and hijack sessions by using timing
attacks targeting the session id. Session ids are usually stored and
indexed in a database that uses some kind of scheme for speeding up
lookups of that session id. By carefully measuring the amount of time it
takes to look up a session, an attacker may be able to find a valid
session id and hijack the session.

The session id itself may be generated randomly, but the way the session
is indexed by the backing store does not use a secure comparison.


Impact
------

The session id stored in a cookie is the same id that is used when
querying the backing session storage engine. Most storage mechanisms
(for example a database) use some sort of indexing in order to speed up
the lookup of that id. By carefully timing requests and session lookup
failures, an attacker may be able to perform a timing attack to
determine an existing session id and hijack that session.

Releases
--------

The 1.6.12 and 2.0.8 releases are available at the normal locations.

Workarounds
-----------

There are no known workarounds.
Comment 1 Hans de Graaff gentoo-dev Security 2019-12-18 19:46:12 UTC 
rack 1.6.12 and 2.0.8 have been added.
Comment 2 Hans de Graaff gentoo-dev Security 2019-12-18 19:52:23 UTC 
This bug also requires new rails releases to leverage the changes in dev-ruby/rack. Rails 5.2.4.1 and Rails 6.0.2.1 have been released with fixes.
Comment 3 Hans de Graaff gentoo-dev Security 2019-12-20 09:48:28 UTC 
rails 5.2.4.1 and 6.0.2.1 have been added
Comment 4 Hans de Graaff gentoo-dev Security 2019-12-21 08:33:12 UTC 
amd64 stable
Comment 5 Rolf Eike Beer archtester 2019-12-23 11:06:46 UTC 
hppa/sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-24 08:10:57 UTC 
x86 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:03:01 UTC 
arm stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-25 21:02:02 UTC 
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-30 15:30:49 UTC 
s390 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-12-30 15:34:30 UTC 
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-12-30 15:54:20 UTC 
ppc stable
Comment 12 Hans de Graaff gentoo-dev Security 2020-01-29 07:12:16 UTC 
Cleanup done.
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 19:45:12 UTC 
@maintainer(s), again, thanks for the verbosity - it does help when keeping track of the versions! Tree is clean.
Comment 14 NATTkA bot gentoo-dev 2020-04-06 15:00:04 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 02:16:27 UTC 
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].