Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 703316 (CVE-2019-16782) - dev-ruby/rack-{1.6.12,2.0.8}, dev-ruby/rails-{5.2.4.1,6.0.2.1}: Possible Information Leak / Session Hijack Vulnerability in Rack (CVE-2019-16782)
Summary: dev-ruby/rack-{1.6.12,2.0.8}, dev-ruby/rails-{5.2.4.1,6.0.2.1}: Possible Info...
Status: RESOLVED FIXED
Alias: CVE-2019-16782
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-18 19:44 UTC by Hans de Graaff
Modified: 2020-04-26 02:16 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/rack-1.6.12 dev-ruby/rack-2.0.8 amd64
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2019-12-18 19:44:18 UTC
There is a possible information leak / session hijacking vulnerability
in Rack. This vulnerability has been assigned the CVE identifier
CVE-2019-16782.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     1.6.12, 2.0.8

There's a possible information leak / session hijack vulnerability in
Rack. Attackers may be able to find and hijack sessions by using timing
attacks targeting the session id. Session ids are usually stored and
indexed in a database that uses some kind of scheme for speeding up
lookups of that session id. By carefully measuring the amount of time it
takes to look up a session, an attacker may be able to find a valid
session id and hijack the session.

The session id itself may be generated randomly, but the way the session
is indexed by the backing store does not use a secure comparison.


Impact
------

The session id stored in a cookie is the same id that is used when
querying the backing session storage engine. Most storage mechanisms
(for example a database) use some sort of indexing in order to speed up
the lookup of that id. By carefully timing requests and session lookup
failures, an attacker may be able to perform a timing attack to
determine an existing session id and hijack that session.

Releases
--------

The 1.6.12 and 2.0.8 releases are available at the normal locations.

Workarounds
-----------

There are no known workarounds.
Comment 1 Hans de Graaff gentoo-dev 2019-12-18 19:46:12 UTC
rack 1.6.12 and 2.0.8 have been added.
Comment 2 Hans de Graaff gentoo-dev 2019-12-18 19:52:23 UTC
This bug also requires new rails releases to leverage the changes in dev-ruby/rack. Rails 5.2.4.1 and Rails 6.0.2.1 have been released with fixes.
Comment 3 Hans de Graaff gentoo-dev 2019-12-20 09:48:28 UTC
rails 5.2.4.1 and 6.0.2.1 have been added
Comment 4 Hans de Graaff gentoo-dev 2019-12-21 08:33:12 UTC
amd64 stable
Comment 5 Rolf Eike Beer 2019-12-23 11:06:46 UTC
hppa/sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-24 08:10:57 UTC
x86 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 14:03:01 UTC
arm stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-12-25 21:02:02 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-30 15:30:49 UTC
s390 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-12-30 15:34:30 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2019-12-30 15:54:20 UTC
ppc stable
Comment 12 Hans de Graaff gentoo-dev 2020-01-29 07:12:16 UTC
Cleanup done.
Comment 13 Sam James archtester gentoo-dev Security 2020-03-26 19:45:12 UTC
@maintainer(s), again, thanks for the verbosity - it does help when keeping track of the versions! Tree is clean.
Comment 14 NATTkA bot gentoo-dev 2020-04-06 15:00:04 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-26 02:16:27 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].