Version in base suite: 4.4.4+dfsg-2

Base version: request-tracker4_4.4.4+dfsg-2
Target version: request-tracker4_4.4.4+dfsg-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/request-tracker4/request-tracker4_4.4.4+dfsg-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/request-tracker4/request-tracker4_4.4.4+dfsg-2+deb11u1.dsc

 .git-dpm                                                            |    4 
 changelog                                                           |    8 +
 patches/series                                                      |    1 
 patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff |   66 ++++++++++
 4 files changed, 77 insertions(+), 2 deletions(-)

diff -Nru request-tracker4-4.4.4+dfsg/debian/.git-dpm request-tracker4-4.4.4+dfsg/debian/.git-dpm
--- request-tracker4-4.4.4+dfsg/debian/.git-dpm	2021-02-02 00:04:05.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/.git-dpm	2021-09-29 10:28:05.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-11fa965a537750fbbf8b9b8400792e8055c84424
-11fa965a537750fbbf8b9b8400792e8055c84424
+e3de3eccb556f77daf21be8f900c7f9359879472
+e3de3eccb556f77daf21be8f900c7f9359879472
 47d4fe68f38e9517210c5c518c2cb0e7e7a13bfb
 47d4fe68f38e9517210c5c518c2cb0e7e7a13bfb
 request-tracker4_4.4.4+dfsg.orig.tar.gz
diff -Nru request-tracker4-4.4.4+dfsg/debian/changelog request-tracker4-4.4.4+dfsg/debian/changelog
--- request-tracker4-4.4.4+dfsg/debian/changelog	2021-02-07 15:44:18.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/changelog	2021-09-29 10:28:05.000000000 +0000
@@ -1,3 +1,11 @@
+request-tracker4 (4.4.4+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Apply upstream patch which fixes a security vulnerability that involves a
+    login timing side-channel attack. This resolves CVE-2021-38562
+    (Closes: #995175)
+
+ -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 29 Sep 2021 23:28:05 +1300
+
 request-tracker4 (4.4.4+dfsg-2) unstable; urgency=medium
 
   * Downgrade Depends on rsyslog | system-log-daemon to Recommends
diff -Nru request-tracker4-4.4.4+dfsg/debian/patches/series request-tracker4-4.4.4+dfsg/debian/patches/series
--- request-tracker4-4.4.4+dfsg/debian/patches/series	2021-02-02 00:04:05.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/patches/series	2021-09-29 10:28:05.000000000 +0000
@@ -29,3 +29,4 @@
 upstream_4.4-trunk_gpg:_always_use_temp_gpg_homedir.diff
 upstream_4.4-trunk_gpg:_add_extra_ignored_keywords.diff
 upstream_4.4-trunk_gpg:_default_cert-digest_algo_SHA256.diff
+upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
diff -Nru request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
--- request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff	1970-01-01 00:00:00.000000000 +0000
+++ request-tracker4-4.4.4+dfsg/debian/patches/upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff	2021-09-29 10:28:05.000000000 +0000
@@ -0,0 +1,66 @@
+From e3de3eccb556f77daf21be8f900c7f9359879472 Mon Sep 17 00:00:00 2001
+From: Dianne Skoll <dianne@bestpractical.com>
+Date: Fri, 15 Jan 2021 09:15:20 -0500
+Subject: Always check password to avoid timing side channel attacks on
+
+ login page
+
+This addresses CVE-2021-38562.
+
+Bug-Debian: https://bugs.debian.org/995175
+Forwarded: not-needed
+Patch-Name: upstream_4.4-trunk_cve:_avoid_time_side_channel_attack.diff
+---
+ lib/RT/Interface/Web.pm | 8 ++++++++
+ lib/RT/User.pm          | 9 ++++++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm
+index 57988d74..77ff88fd 100644
+--- a/lib/RT/Interface/Web.pm
++++ b/lib/RT/Interface/Web.pm
+@@ -824,10 +824,18 @@ sub AttemptPasswordAuthentication {
+     my $user_obj = RT::CurrentUser->new();
+     $user_obj->Load( $ARGS->{user} );
+ 
++    # Load the RT system user as well to avoid timing side channel
++    my $system_user = RT::CurrentUser->new();
++    $system_user->Load(1);    # User with ID 1 should always exist!
++
+     my $m = $HTML::Mason::Commands::m;
+ 
+     my $remote_addr = RequestENV('REMOTE_ADDR');
+     unless ( $user_obj->id && $user_obj->IsPassword( $ARGS->{pass} ) ) {
++        if (!$user_obj->id) {
++            # Avoid timing side channel... always run IsPassword
++            $system_user->IsPassword( $ARGS->{pass} );
++        }
+         $RT::Logger->error("FAILED LOGIN for @{[$ARGS->{user}]} from $remote_addr");
+         $m->callback( %$ARGS, CallbackName => 'FailedLogin', CallbackPage => '/autohandler' );
+         return (0, HTML::Mason::Commands::loc('Your username or password is incorrect'));
+diff --git a/lib/RT/User.pm b/lib/RT/User.pm
+index 6c4bc08d..cdc6393b 100644
+--- a/lib/RT/User.pm
++++ b/lib/RT/User.pm
+@@ -1189,15 +1189,18 @@ sub IsPassword {
+     }
+ 
+    if ( $self->PrincipalObj->Disabled ) {
++        # Run the bcrypt generator to avoid timing side-channel attacks
++        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
+         $RT::Logger->info(
+             "Disabled user " . $self->Name . " tried to log in" );
+         return (undef);
+     }
+ 
+     unless ($self->HasPassword) {
+-        return(undef);
+-     }
+-
++        # Run the bcrypt generator to avoid timing side-channel attacks
++        RT::Util::constant_time_eq($self->_GeneratePassword_bcrypt($value), '0' x 64);
++        return undef;
++    }
+     my $stored = $self->__Value('Password');
+     if ($stored =~ /^!/) {
+         # If it's a new-style (>= RT 4.0) password, it starts with a '!'