Patches for CVE-2011-0009

Thu Jan 27 12:48:33 UTC 2011

On 01/27/2011 12:31 PM, Xavier Bachelot wrote:
>> On 01/27/2011 12:43 AM, Xavier Bachelot wrote:
>>> On 01/26/2011 09:16 PM, Xavier Bachelot wrote:
>>>> On 01/26/2011 12:00 AM, Xavier Bachelot wrote:
>>>>> Hi,
>>>>>
>>>>> I've been looking at the issue for both rt 3.6 and 3.8.
>>>>> I have a rather full featured patch for 3.8 and I took the Debian
>>>>> patch
>>>>> for 3.6. However, I'm not happy with 3.6, it's lacking the script to
>>>>> fix
>>>>> all the passwords. I'll try to come up with something better in the
>>>>> next
>>>>> few days. Here's my WIP for reference.
>>>>>
>>>>> Regards,
>>>>> Xavier
>>>>
>>>> Here are the updated patches against master and el5 branches. I only
>>>> have an rt 3.6 to test against, so the 3.8 patch is not run time
>>>> tested,
>>>> but I'm confident.
>>>> The only missing bit is a paragraph about the password mass-update
>>>> script in the UPGRADING file for 3.6.
>>>>
>>> Sorry, slightly wrong patches, it was missing the patch to the UPGRADING
>>> file. Here is a fixed one for 3.8. I've pushed the 3.6 patch to el5.
>>>
>>> http://koji.fedoraproject.org/koji/taskinfo?taskID=2744662
>>> https://admin.fedoraproject.org/updates/rt3-3.6.10-2.el5
>>>
>>> Ralf, Mark, I let you give a test at 3.8 on Rawhide/F14/F13 and EL6,
>>> respectively.
>>
>> Xavier, please don't try to rush it.
>>
> I'm not trying to rush anything. I'm satisfied with the patches I have, so
> I've built the rpms for the OS release I'm running in production. I've
> indeed tested it locally. However I can't test against rawhide, F13, F14
> and EL6, because I don't have any RT instance with this releases. I
> obviously won't commit anything to this branches and let this for people
> that can actually test the patches.
>
>> So far, from visual inspection only, I am not necessarily opposed to
>> your patch but I like the debian patches more.
>>
> Imho, the Debian patches are incomplete. It only fixes password hashes
> upon user login,
This exactly why I like them. They are working transparently without 
user or maintainer interaction.

> which is not enough to fix the security issue. You can't
> expect to force all users to log in and all hashes that have not been
> updated are still vulnerable to a brute force attack. The only real
> solution is to use the vulnerable-passwords script to mass update them.
Partially agreed. A mass update is the only way to assure this.

However, one can not expect maintainers to run this script, nor can we 
run this script during rpm updates.

That said, my current preference for Fedora 13 and 14 is a combination of
* Adopting Debian's patch.
* Adding the vulnerable-passwords script.

For Fedora 15 backporting from bestpractical's upstream (which is, 
AFAIU, you did) is feasible, because upgrading Fedora's will always 
require maintainer interaction.

In an ideal world, IMO, a solution would look differently:
Launching start up would perform a mass conversion.

BTW: Did you check if rt's upgrade scripts take care about this CVE (I 
haven't yet)?

> This script is missing with the Debian patches.
> My own patches were created using the commits from the 3.8-salted_password
> branch from RT's git repository, that I then adapted to target 3.6.

Ralf