[Pkg-erlang-devel] Bug#576304: Bug#576304: CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
sbisbee at computervip.com
Tue Apr 13 00:43:44 UTC 2010
On Fri, Apr 02, 2010 at 10:23:16PM +0200, Moritz Muehlenhoff wrote:
> Package: couchdb
> Severity: important
> Tags: security
> The following advisory was posted to full-disclosure. I don't see
> the security implications, can you tell me what property is being
> attacked here through the timing attack?
I would suggest that you read http://codahale.com/a-lesson-in-timing-attacks/
(from the advisory) for a more in depth description of this vulnerability.
The basics are that the function CouchDB was using to verify hashes and
passwords was doing byte-by-byte comparisons, returning as soon as it found two
bytes that didn't match. This means that a malicious user could time the amount
of time it takes the function to respond, figuring out how much of the
beginning of their request is valid.
Please note that 0.11.0-1, which has a fix for this vulnerability, should be
released to unstable this week. Upstream released 0.11.0 about two weeks ago.
More information about the Pkg-erlang-devel