Page MenuHomePhabricator
Create Task
Maniphest T94116

Api watchlist token should be compared in constant time
Closed, ResolvedPublic
Actions

Assigned To
Anomie
Authored By
csteipp
Mar 26 2015, 11:02 PM
Tags
Referenced Files
F1186925: 0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch
Aug 10 2015, 7:38 PM
F106084: 0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch
Mar 27 2015, 3:53 PM
Subscribers
Aklapper
csteipp
demon
gerritbot
Grunny
Krenair
Legoktm
View All 10 Subscribers

Description

The token comparison in ApiBase::getWatchlistUser() isn't constant time, so timing attack is theoretically possible.

Patch:

0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload

  • 1.25 - same as master (
    0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload
    )
  • 1.24 - same as master (
    0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload
    )
  • 1.23 -
    0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch3 KBDownload
    (include hash_equals)

Affected Versions:
Type: csrf

Details

SubjectRepoBranchLines +/-
SECURITY: API: Use constant-time comparison for watchlist tokenmediawiki/coremaster+1 -1
SECURITY: API: Use constant-time comparison for watchlist tokenmediawiki/coreREL1_25+1 -1
SECURITY: API: Use constant-time comparison for watchlist tokenmediawiki/coreREL1_24+1 -1
SECURITY: API: Use constant-time comparison for watchlist tokenmediawiki/coreREL1_23+48 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedAnomieT94116 Api watchlist token should be compared in constant time

Event Timeline

csteipp created this task.Mar 26 2015, 11:02 PM
csteipp raised the priority of this task from to Low.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Anomie.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2015, 11:02 PM
Anomie claimed this task.EditedMar 27 2015, 3:53 PM

0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch1 KBDownload

Anomie added projects: Patch-For-Review, MediaWiki-Action-API, Reading-Infrastructure-Team-Old (Don't use).Mar 27 2015, 3:54 PM
Anomie moved this task from Backlog to Needs Review/Feedback on the Reading-Infrastructure-Team-Old (Don't use) board.
Anomie moved this task from Unsorted to Needs Review on the MediaWiki-Action-API board.
Legoktm subscribed.Apr 17 2015, 4:54 AM

+1.

The hash_equals fallback was only added in 1.24 (b9e1d5f5c066a26f115eac69e268a98e6591d121), so it'll also have to be backported to 1.23 and 1.19...

Legoktm added a comment.Jun 11 2015, 8:43 PM

+2? Anything else that needs to be done to get this deployed?

csteipp added a subscriber: mmodell.Jun 11 2015, 9:56 PM

Slipped off my radar. Patch looks good to me.

@mmodell, can you deploy this and confirm when it's on the cluster?

csteipp added a parent task: Restricted Task.Jun 11 2015, 9:57 PM
csteipp closed this task as Resolved.Jul 8 2015, 8:57 PM

20:53 csteipp: deployed patch for T94116 for wmf12/wmf13

csteipp added subscribers: Grunny, ProgramCeltic.Aug 7 2015, 6:33 PM
demon subscribed.Aug 10 2015, 7:38 PM

0001-SECURITY-API-Use-constant-time-comparison-for-watchl.patch3 KBDownload

Patch for REL1_23 that includes backport of hash_equals(). Existing patch above already applies cleanly to 1.24, 1.25 and master.

csteipp updated the task description. (Show Details)Aug 10 2015, 8:18 PM
csteipp added a project: Vuln-CSRF.
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 10:00 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
gerritbot subscribed.Aug 10 2015, 10:00 PM

Change 230665 had a related patch set uploaded (by Chad):
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230665

gerritbot added a comment.Aug 10 2015, 10:03 PM

Change 230669 had a related patch set uploaded (by Chad):
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230669

gerritbot added a comment.Aug 10 2015, 10:05 PM

Change 230673 had a related patch set uploaded (by Chad):
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230673

gerritbot added a comment.Aug 10 2015, 10:15 PM

Change 230673 merged by jenkins-bot:
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230673

demon mentioned this in rMW8f74aa9ed0d1: SECURITY: API: Use constant-time comparison for watchlist token.Aug 10 2015, 10:16 PM
gerritbot added a comment.Aug 10 2015, 10:20 PM

Change 230669 merged by jenkins-bot:
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230669

demon mentioned this in rMW01e5d85ec246: SECURITY: API: Use constant-time comparison for watchlist token.Aug 10 2015, 10:20 PM
gerritbot added a comment.Aug 10 2015, 10:22 PM

Change 230665 merged by jenkins-bot:
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230665

demon mentioned this in rMW83af5c1b11b1: SECURITY: API: Use constant-time comparison for watchlist token.Aug 10 2015, 10:22 PM
Forrestbot added projects: MW-1.24-release, MW-1.23-release, MW-1.25-release.Aug 10 2015, 11:00 PM
Ricordisamoa subscribed.Aug 10 2015, 11:44 PM
gerritbot added a comment.Aug 11 2015, 2:17 PM

Change 230774 had a related patch set uploaded (by Chad):
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230774

gerritbot added a comment.Aug 11 2015, 2:29 PM

Change 230774 merged by jenkins-bot:
SECURITY: API: Use constant-time comparison for watchlist token

https://gerrit.wikimedia.org/r/230774

demon mentioned this in rMW00f3e29bfcb8: SECURITY: API: Use constant-time comparison for watchlist token.Aug 11 2015, 2:29 PM
Forrestbot added projects: WMF-deploy-2015-08-11_(1.26wmf18), MW-1.26-release.Aug 11 2015, 3:00 PM
Krenair subscribed.Aug 31 2015, 12:56 AM

CVE-2015-6728 was assigned for this

chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL