Bug 15010 - Sensitive data comparisons use memcmp()
Summary: Sensitive data comparisons use memcmp()
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-03-11 01:57 UTC by Joseph Sutton
Modified: 2022-04-13 23:18 UTC (History)
0 users

See Also:


Attachments
patch for master (29.17 KB, patch)
2022-03-11 01:59 UTC, Joseph Sutton
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Sutton 2022-03-11 01:57:45 UTC
To avoid being susceptible to timing attacks, we should use a constant time comparison function.
Comment 1 Joseph Sutton 2022-03-11 01:59:52 UTC
Created attachment 17207 [details]
patch for master

This patch does not address uses of memcmp() in Heimdal; as it is a third-party library it must be patched separately.
Comment 2 Andrew Bartlett 2022-03-11 19:30:30 UTC
The password_hash.c code should use this also, lots of password hash comparisons there.  (hard to exploit because the input is not a hash, but should be fixed for consistency).

Our next step should be to confirm if we think this raises to the standard for a CVE, otherwise to just fix in public.
Comment 3 Andrew Bartlett 2022-04-13 23:18:09 UTC
I've removed the embargo, this is an important thing to fix, but we wouldn't issue a security advisory for this.