Timing Weakness in ActiveSupport::MessageVerifier and the Cookie Store

[Michael Koziarski]

There is a weakness in the code Ruby on Rails uses to verify message
digests in the cookie store. By using a non-constant time algorithm to
verify the signatures an attacker may be able to determine when a forged
signature is partially correct.

For more information on timing attacks, see Coda Hale's blog post on the
matter[1]

Versions Affected: 2.1.0 and *all* subsequent versions.
Fixed Versions: 2.3.4, 2.2.3

Impact
------

Due to issues like network latency, non-deterministic GC runs and other
issues it is unlikely that this attack could be exploited in the wild
within a reasonable timeframe. However users should still upgrade as
soon as possible to remove the weakness.

Releases
--------

The 2.3.4 and 2.2.3 releases will be made available later today and
tomorrow which will contain fixes for this issue amongst others.

Patches
-------

In order to provide the fixes for users who are running unsupported
releases, or are unable to upgrade at present we have provided patches
against all affected stable release branches.

The patches are in a format suitable for git-am and consist a single
changeset which implements

* 2-2-timing-weakness.patch - Patch for 2.2 series
* 2-3-timing-weakness.patch - Patch for 2.3 series

Credits
-------

Thanks to Coda Hale for reporting the bug to us, and helping us with the
fixes.

[1] http://codahale.com/a-lesson-in-timing-attacks/

--
Cheers,

Koz