Bug#1055349: bullseye-pu: package python-websockets/8.1-1+deb11u1
Package: release.debian.org
Control: affects -1 + src:python-websockets
X-Debbugs-Cc: python-websockets@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: bullseye
Severity: normal
[ Reason ]
python-websockets in bullseye is vulnerable for CVE-2021-33880.
[ Impact ]
CVE-2021-33880 can be exploited.
[ Tests ]
No automatic tests. I have backported the upstream patch for the CVE.
[ Risks ]
None.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru python-websockets-8.1/debian/changelog python-websockets-8.1/debian/changelog
--- python-websockets-8.1/debian/changelog 2019-12-31 18:02:56.000000000 +0100
+++ python-websockets-8.1/debian/changelog 2023-11-04 17:59:13.000000000 +0100
@@ -1,3 +1,9 @@
+python-websockets (8.1-1+deb11u1) bullseye; urgency=medium
+
+ * Fix CVE-2021-33880 with upstream patch (closes: 989561)
+
+ -- Bastian Germann <bage@debian.org> Sat, 04 Nov 2023 17:59:13 +0100
+
python-websockets (8.1-1) unstable; urgency=medium
[ Ondřej Nový ]
diff -Nru python-websockets-8.1/debian/patches/CVE-2021-33880.patch python-websockets-8.1/debian/patches/CVE-2021-33880.patch
--- python-websockets-8.1/debian/patches/CVE-2021-33880.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-websockets-8.1/debian/patches/CVE-2021-33880.patch 2023-11-04 17:59:13.000000000 +0100
@@ -0,0 +1,66 @@
+From 9428df4ba027dea422697cfae995568cd06cd06a Mon Sep 17 00:00:00 2001
+From: Aymeric Augustin <aymeric.augustin@m4x.org>
+Date: Sun, 23 May 2021 18:51:27 +0200
+Subject: [PATCH] Use constant-time comparison for passwords.
+
+Backport of c91b4c2a to 8.1.
+---
+ src/websockets/auth.py | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/src/websockets/auth.py b/src/websockets/auth.py
+index ae204b8..aeaf15b 100644
+--- a/src/websockets/auth.py
++++ b/src/websockets/auth.py
+@@ -6,7 +6,9 @@
+
+
+ import functools
++import hmac
+ import http
++from typing import cast
+ from typing import Any, Awaitable, Callable, Iterable, Optional, Tuple, Type, Union
+
+ from .exceptions import InvalidHeader
+@@ -137,24 +139,25 @@ def basic_auth_protocol_factory(
+
+ if credentials is not None:
+ if is_credentials(credentials):
+-
+- async def check_credentials(username: str, password: str) -> bool:
+- return (username, password) == credentials
+-
++ credentials_list = [cast(Credentials, credentials)]
+ elif isinstance(credentials, Iterable):
+ credentials_list = list(credentials)
+- if all(is_credentials(item) for item in credentials_list):
+- credentials_dict = dict(credentials_list)
+-
+- async def check_credentials(username: str, password: str) -> bool:
+- return credentials_dict.get(username) == password
+-
+- else:
++ if not all(is_credentials(item) for item in credentials_list):
+ raise TypeError(f"invalid credentials argument: {credentials}")
+-
+ else:
+ raise TypeError(f"invalid credentials argument: {credentials}")
+
++ credentials_dict = dict(credentials_list)
++
++ async def check_credentials(username: str, password: str) -> bool:
++ try:
++ expected_password = credentials_dict[username]
++ except KeyError:
++ return False
++ return hmac.compare_digest(expected_password, password)
++
+ return functools.partial(
+- create_protocol, realm=realm, check_credentials=check_credentials
++ create_protocol,
++ realm=realm,
++ check_credentials=check_credentials,
+ )
+--
+2.40.1
+
diff -Nru python-websockets-8.1/debian/patches/series python-websockets-8.1/debian/patches/series
--- python-websockets-8.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-websockets-8.1/debian/patches/series 2023-11-04 17:58:49.000000000 +0100
@@ -0,0 +1 @@
+CVE-2021-33880.patch
Reply to: