Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 828115 (CVE-2021-34337) - net-mail/mailman: password checking timing attack vulnerability
Summary: net-mail/mailman: password checking timing attack vulnerability
Status: CONFIRMED
Alias: CVE-2021-34337
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [upstream/ebuild]
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2021-12-04 04:57 UTC by John Helmert III
Modified: 2021-12-21 14:35 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mailman-3.3.5-relax-alembic-dependency.patch (mailman-3.3.5-relax-alembic-dependency.patch,533 bytes, patch)
2021-12-20 19:42 UTC, Nathan Phillip Brink (binki)
no flags Details | Diff
mailman-3.3.5-relax-alembic-dependency.patch (mailman-3.3.5-relax-alembic-dependency.patch,671 bytes, patch)
2021-12-21 14:35 UTC, Nathan Phillip Brink (binki)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-12-04 04:57:21 UTC
Unreleased patch for this issue: 

commit e4a39488c4510fcad8851217f10e7337a196bb51
Author: Kunal Mehta <legoktm@debian.org>
Date:   Tue Jun 8 00:54:14 2021 -0400

    Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337)

    Using basic string equality is vulnerable to timing attacks as it will
    short circuit at the first wrong character. Using hmac.compare_digest
    avoids that issue and will take the same time, regardless of whether
    the value is correct or not.

    This is only exploitable if an attacker can talk directly to the
    REST API, which by default is bound to localhost.

    Fixes #911.
Comment 1 Nathan Phillip Brink (binki) 2021-12-20 19:42:36 UTC
Created attachment 759930 [details, diff]
mailman-3.3.5-relax-alembic-dependency.patch

It looks like mailman-3.3.6 is already out.

That fix is included in mailman-3.3.5 according to the upstream changelog ( «URI scrubbed because my bugzilla account is less than 24 hours old» ).

This is a patch which I found was required to get mailman-3.3.5 to run while testing. It should also be required for 3.3.6, but I have not tested it.
Comment 2 Nathan Phillip Brink (binki) 2021-12-21 14:35:20 UTC
Created attachment 759983 [details, diff]
mailman-3.3.5-relax-alembic-dependency.patch

Patch from upstream.