Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 828115 (CVE-2021-34337)

Summary: net-mail/mailman: password checking timing attack vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hanno, ohnobinki, sam
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
mailman-3.3.5-relax-alembic-dependency.patch
none
mailman-3.3.5-relax-alembic-dependency.patch none

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-04 04:57:21 UTC 
Unreleased patch for this issue: 

commit e4a39488c4510fcad8851217f10e7337a196bb51
Author: Kunal Mehta <legoktm@debian.org>
Date:   Tue Jun 8 00:54:14 2021 -0400

    Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337)

    Using basic string equality is vulnerable to timing attacks as it will
    short circuit at the first wrong character. Using hmac.compare_digest
    avoids that issue and will take the same time, regardless of whether
    the value is correct or not.

    This is only exploitable if an attacker can talk directly to the
    REST API, which by default is bound to localhost.

    Fixes #911.
Comment 1 Nathan Phillip Brink (binki) 2021-12-20 19:42:36 UTC 
Created attachment 759930 [details, diff]
mailman-3.3.5-relax-alembic-dependency.patch

It looks like mailman-3.3.6 is already out.

That fix is included in mailman-3.3.5 according to the upstream changelog ( «URI scrubbed because my bugzilla account is less than 24 hours old» ).

This is a patch which I found was required to get mailman-3.3.5 to run while testing. It should also be required for 3.3.6, but I have not tested it.
Comment 2 Nathan Phillip Brink (binki) 2021-12-21 14:35:20 UTC 
Created attachment 759983 [details, diff]
mailman-3.3.5-relax-alembic-dependency.patch

Patch from upstream.
Comment 3 Larry the Git Cow gentoo-dev 2022-06-05 14:18:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd8719e070a90c8f5494b2b661530eedfaf5a38e

commit fd8719e070a90c8f5494b2b661530eedfaf5a38e
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-06-05 14:08:28 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-06-05 14:16:19 +0000

    net-mail/mailman: treeclean
    
    Closes: https://bugs.gentoo.org/846149
    Closes: https://bugs.gentoo.org/842888
    Closes: https://bugs.gentoo.org/836711
    Closes: https://bugs.gentoo.org/827257
    Closes: https://bugs.gentoo.org/802450
    Closes: https://bugs.gentoo.org/766435
    Bug: https://bugs.gentoo.org/828115
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 net-mail/mailman/Manifest                          |  2 -
 .../mailman/files/mailman-3.3.4-fix-click-8.patch  | 75 ----------------------
 .../files/mailman-3.3.4-py3.9-importlib.patch      | 73 ---------------------
 net-mail/mailman/mailman-3.3.2.ebuild              | 42 ------------
 net-mail/mailman/mailman-3.3.4.ebuild              | 60 -----------------
 net-mail/mailman/metadata.xml                      | 10 ---
 profiles/package.mask                              |  1 -
 7 files changed, 263 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-05 15:08:55 UTC 
All done!