828115 – (CVE-2021-34337) net-mail/mailman: password checking timing attack vulnerability

Bug 828115 (CVE-2021-34337) - net-mail/mailman: password checking timing attack vulnerability

Summary: net-mail/mailman: password checking timing attack vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2021-34337

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2021-12-04 04:57 UTC by John Helmert III
Modified:	2022-06-05 15:08 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
mailman-3.3.5-relax-alembic-dependency.patch (mailman-3.3.5-relax-alembic-dependency.patch,533 bytes, patch) 2021-12-20 19:42 UTC, Nathan Phillip Brink (binki)	no flags	Details \| Diff
mailman-3.3.5-relax-alembic-dependency.patch (mailman-3.3.5-relax-alembic-dependency.patch,671 bytes, patch) 2021-12-21 14:35 UTC, Nathan Phillip Brink (binki)	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-12-04 04:57:21 UTC

Unreleased patch for this issue: 

commit e4a39488c4510fcad8851217f10e7337a196bb51
Author: Kunal Mehta <legoktm@debian.org>
Date:   Tue Jun 8 00:54:14 2021 -0400

    Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337)

    Using basic string equality is vulnerable to timing attacks as it will
    short circuit at the first wrong character. Using hmac.compare_digest
    avoids that issue and will take the same time, regardless of whether
    the value is correct or not.

    This is only exploitable if an attacker can talk directly to the
    REST API, which by default is bound to localhost.

    Fixes #911.

Comment 1 Nathan Phillip Brink (binki) 2021-12-20 19:42:36 UTC

Created attachment 759930 [details, diff]
mailman-3.3.5-relax-alembic-dependency.patch

It looks like mailman-3.3.6 is already out.

That fix is included in mailman-3.3.5 according to the upstream changelog ( «URI scrubbed because my bugzilla account is less than 24 hours old» ).

This is a patch which I found was required to get mailman-3.3.5 to run while testing. It should also be required for 3.3.6, but I have not tested it.

Comment 2 Nathan Phillip Brink (binki) 2021-12-21 14:35:20 UTC

Created attachment 759983 [details, diff]
mailman-3.3.5-relax-alembic-dependency.patch

Patch from upstream.

Comment 3 Larry the Git Cow gentoo-dev

2022-06-05 14:18:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd8719e070a90c8f5494b2b661530eedfaf5a38e

commit fd8719e070a90c8f5494b2b661530eedfaf5a38e
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-06-05 14:08:28 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-06-05 14:16:19 +0000

    net-mail/mailman: treeclean
    
    Closes: https://bugs.gentoo.org/846149
    Closes: https://bugs.gentoo.org/842888
    Closes: https://bugs.gentoo.org/836711
    Closes: https://bugs.gentoo.org/827257
    Closes: https://bugs.gentoo.org/802450
    Closes: https://bugs.gentoo.org/766435
    Bug: https://bugs.gentoo.org/828115
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 net-mail/mailman/Manifest                          |  2 -
 .../mailman/files/mailman-3.3.4-fix-click-8.patch  | 75 ----------------------
 .../files/mailman-3.3.4-py3.9-importlib.patch      | 73 ---------------------
 net-mail/mailman/mailman-3.3.2.ebuild              | 42 ------------
 net-mail/mailman/mailman-3.3.4.ebuild              | 60 -----------------
 net-mail/mailman/metadata.xml                      | 10 ---
 profiles/package.mask                              |  1 -
 7 files changed, 263 deletions(-)

Comment 4 John Helmert III archtester

2022-06-05 15:08:55 UTC

All done!