r28036 - in /trunk/libuser-simple-perl: Changes META.yml debian/changelog lib/User/Simple.pm t/User-Simple.t

gwolf at users.alioth.debian.org gwolf at users.alioth.debian.org
Wed Dec 10 23:55:46 UTC 2008


Author: gwolf
Date: Wed Dec 10 23:55:43 2008
New Revision: 28036

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=28036
Log:
New upstream version

Modified:
    trunk/libuser-simple-perl/Changes
    trunk/libuser-simple-perl/META.yml
    trunk/libuser-simple-perl/debian/changelog
    trunk/libuser-simple-perl/lib/User/Simple.pm
    trunk/libuser-simple-perl/t/User-Simple.t

Modified: trunk/libuser-simple-perl/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/Changes?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/Changes (original)
+++ trunk/libuser-simple-perl/Changes Wed Dec 10 23:55:43 2008
@@ -1,4 +1,8 @@
 Revision history for Perl extension User::Simple.
+
+1.42 Wed Dec 10 17:22:19 CST 2008
+        - Fixed a session hash predictability/clash vulnerability,
+	  reported by Eugene V. Lyubimkin via Damyan Ivanov. Thanks!
 
 1.40 Fri Jun 27 11:35:01 CDT 2008
         - Bah... Why jump through that many hoops? Moving away from

Modified: trunk/libuser-simple-perl/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/META.yml?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/META.yml (original)
+++ trunk/libuser-simple-perl/META.yml Wed Dec 10 23:55:43 2008
@@ -1,6 +1,6 @@
 ---
 name: User-Simple
-version: 1.40
+version: 1.42
 author:
   - 'Gunnar Wolf <gwolf at gwolf.org>'
 abstract: Simple user sessions management
@@ -18,7 +18,7 @@
 provides:
   User::Simple:
     file: lib/User/Simple.pm
-    version: 1.40
+    version: 1.42
   User::Simple::Admin:
     file: lib/User/Simple/Admin.pm
 generated_by: Module::Build version 0.280801

Modified: trunk/libuser-simple-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/debian/changelog?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/debian/changelog (original)
+++ trunk/libuser-simple-perl/debian/changelog Wed Dec 10 23:55:43 2008
@@ -1,9 +1,13 @@
-libuser-simple-perl (1.40-2) UNRELEASED; urgency=low
+libuser-simple-perl (1.42-1) unstable; urgency=low
 
+  [ gregor herrmann ]
   * debian/control: Changed: Switched Vcs-Browser field to ViewSVN
     (source stanza).
+    
+  [ Gunnar Wolf ]
+  * New upstream release (Closes: #508312)
 
- -- gregor herrmann <gregoa at debian.org>  Sun, 16 Nov 2008 20:48:50 +0100
+ -- Gunnar Wolf <gwolf at debian.org>  Wed, 10 Dec 2008 17:52:09 -0600
 
 libuser-simple-perl (1.40-1) unstable; urgency=low
 

Modified: trunk/libuser-simple-perl/lib/User/Simple.pm
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/lib/User/Simple.pm?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/lib/User/Simple.pm (original)
+++ trunk/libuser-simple-perl/lib/User/Simple.pm Wed Dec 10 23:55:43 2008
@@ -79,7 +79,7 @@
 
 Once the object is created, we can ask it to verify that a given user is
 valid, either by checking against a session string or against a login/password
-pair::
+pair:
 
   $ok = $usr->ck_session($session);
   $ok = $usr->ck_login($login, $passwd, [$no_sess]);
@@ -171,7 +171,7 @@
 use UNIVERSAL qw(isa);
 
 our $AUTOLOAD;
-our $VERSION = '1.40';
+our $VERSION = '1.42';
 
 ######################################################################
 # Constructor/destructor
@@ -306,9 +306,10 @@
 	$self->_debug(3, "Not touching session");
 
     } else {
+	my $salt = _session_salt();
 	unless ($sth = $self->{db}->prepare("UPDATE $self->{tbl} SET 
                 session = ? WHERE id = ?") and 
-		$sth->execute(md5_hex(join('-', Today_and_Now)), $id)) {
+		$sth->execute(md5_hex(join('-', $salt, Today_and_Now)), $id)) {
 	    $self->_debug(1,'Could not create user session');
 	    return undef;
 	}
@@ -516,4 +517,11 @@
     }
 }
 
+# Generates a random, printable (ASCII 46-126), 10 character long salt
+# to mix in the session generation.
+sub _session_salt {
+    join("", map { chr(rand()*78 + 46) } (0..10))
+}
+
+
 1;

Modified: trunk/libuser-simple-perl/t/User-Simple.t
URL: http://svn.debian.org/wsvn/pkg-perl/trunk/libuser-simple-perl/t/User-Simple.t?rev=28036&op=diff
==============================================================================
--- trunk/libuser-simple-perl/t/User-Simple.t (original)
+++ trunk/libuser-simple-perl/t/User-Simple.t Wed Dec 10 23:55:43 2008
@@ -10,7 +10,7 @@
 
 # change 'tests => 1' to 'tests => last_test_to_print';
 
-use Test::More tests => 39;
+use Test::More tests => 40;
 BEGIN { use_ok('User::Simple'); use_ok('User::Simple::Admin') };
 
 #########################
@@ -22,7 +22,7 @@
 eval { $db = DBI->connect('DBI:SQLite:dbname=' .$tmp_file) };
 
 SKIP: {
-    my ($ua, $adm_id, $usr_id, $usr, $session, %users);
+    my ($ua, $adm_id, $usr_id, $usr, $session, %users, %sessions);
     skip 'Not executing the complete tests: Database handler not created ' .
 	'(I need DBD::SQLite for this)', 37 unless $db;
 
@@ -138,7 +138,7 @@
 
     # Get the user's session
     ok($session = $usr->session, "Retreived the user's session");
-
+    
     # Try to log in with an invalid session, check that all of the data is
     # cleared.
     is($usr->ck_session('blah'), undef,
@@ -155,6 +155,17 @@
     is($usr->login, 'user5', 'Reported login matches');
     is($usr->descr, 'A new description', 'Reported descr matches');
     is($usr->adm_level, 0, 'Reported adm_level matches');
+    
+    # Ensure that logging in several times in a row produces different
+    # session IDs (that is, that we are not vulnerable to time-based
+    # predictability - see changelog for 1.42)
+    %sessions = ();
+    map { $usr->ck_login('user5', 'a_password');
+	  $sessions{$usr->session} = $_} (1..10);
+    use YAML;print YAML::Dump %sessions;
+    is(scalar(keys %sessions), 10,
+       'Discrepancy in the number of generated sessions - possible clash?')
+    
 
 }
 unlink($tmp_file)




More information about the Pkg-perl-cvs-commits mailing list