EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Critical fault in OAuth2 implementation with respect to leap year date

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#36025
Posted: 02/28/2016 17:58:00
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

URGENT: This has caused our software to crash on over 12000 sites today.

Code
Unit SBUtils.pas


Code
function DateTimeAddYears(DateTime: TElDateTime; Years: Integer): TElDateTime;


This function is called in several places in TElOAuth2Client. The functionality decodes today's date, increments the year, and encodes the date with the incremented year.

Today's date decodes to Y=2016, M=2, D=29. Increment to Y=2017, M=2, D=29. Encoding raises an access violation.

Code
function DateTimeAddYears(DateTime: TElDateTime; Years: Integer): TElDateTime;
var
  Year, Month, Day: Word;
begin
  DecodeDate(DateTime, Year, Month, Day);
  Inc(Year, Years);
  Result := EncodeDate(Year, Month, Day) + Frac(DateTime);
end;


We've temporarily modified the code to the following, pending a fix from you:

Code
function DateTimeAddYears(DateTime: TElDateTime; Years: Integer): TElDateTime;
begin
  Result := DateTime + (365 * Years);
end;
#36026
Posted: 02/28/2016 21:07:44
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Just further to the above, this issue is probably very widespread as it manifests by simply creating a TElHTTPSClient component.
#36027
Posted: 02/28/2016 21:29:06
by Sam Bortman (Priority Standard support level)
Joined: 02/13/2012
Posts: 9

Wow!!!

I'd like to confirm that our clients are also affected by this. We're using TElHTTPSClient all over the place. Our clients aren't able to start the program that performs updates -- so we're dead in the water.

I will attempt the temporary fix Eric Kuba suggested (thanks!!!), but even if it solves the problem in development, I have no idea of how to deliver the fix to the clients.

Eldos, please advise if this issue will magically repair itself on March 1st?
#36029
Posted: 02/29/2016 02:31:48
by K.K.Tsang  (Standard support level)
Joined: 12/07/2015
Posts: 2

I also encounter the same issue. We can only ask our customer to change the date to 28Feb and manually change it back to 01Mar tmr.. It makes me feel very stupid. BTW, I have tested, it fails on all 29Feb.
#36031
Posted: 02/29/2016 03:24:58
by Alexander Ionov (EldoS Corp.)

Thank you very much for all the reports.

We are very sorry for this problem. It affects only VCL edition of SecureBlackbox and appears only today. Tomorrow, even not fixed applications will work as usual.

Here are the fixed code:
Code
function DateTimeIsLeapYear(Year: Integer): Boolean;
begin
  Result := (Year mod 4 = 0) and ((Year mod 100 <> 0) or (Year mod 400 = 0));
end;

function DateTimeAddYears(DateTime: TElDateTime; Years: Integer): TElDateTime;
var
  Year, Month, Day: Word;
begin
  DecodeDate(DateTime, Year, Month, Day);
  Inc(Year, Years);
  if (Month = 2) and (Day = 29) and not DateTimeIsLeapYear(Year) then
    Day := 28;
  Result := EncodeDate(Year, Month, Day) + Frac(DateTime);
end;


--
Best regards,
Alexander Ionov
#36037
Posted: 02/29/2016 03:55:36
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 38

Thank you for your response, however I think it's important for Eldos to understand that the impact of this bug was extraordinarily severe on or business.

How did such poor code make it into production and remain undetected for more than 3 years?

Due to the severity of our experience today, serious questions need to be answered as to how this happened, and how likely it is that something similar will happen again. We put our trust in your technology and today you dropped the ball. Trust is hard to gain and very easy to loose,
#36039
Posted: 02/29/2016 04:15:01
by Bogdan H. (Standard support level)
Joined: 04/03/2014
Posts: 10

I can totally relate to this.

It has also crashed our application and caused us a lot of support headache and angry customers.

What shocks us is the simplicity of this bug and how it was undetected for the past years.
#36040
Posted: 02/29/2016 04:16:31
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 73

Quote
Alexander Ionov wrote:
Thank you very much for all the reports.

We are very sorry for this problem. It affects only VCL edition of SecureBlackbox and appears only today. Tomorrow, even not fixed applications will work as usual.

Here are the fixed code:

Code
...


Thanks for the fix, although also for me it is impossible to patch the clients since they rely on HTTPSClient for auto-update update.

Can you explain why you used the code like this in the first place instead of the IncYear function in DateUtils? I see nothing in the code that improves the DateUtils function. It even makes it worse as has been proven today.
#36041
Posted: 02/29/2016 04:29:17
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
Can you explain why you used the code like this in the first place instead of the IncYear function in DateUtils?

The problem is that DateUtils unit is not present in Delphi 5, but the code should be compatible with that version.
#36042
Posted: 02/29/2016 04:45:10
by Kvetoslav Jansta (Standard support level)
Joined: 05/06/2008
Posts: 56

> Bogdan H., Kuba,....
yes, the same situation :(
thousands of angry customers, still waiting on our new release, hours and hours pople can not work... can not type customs declarations, drivers can not go,... etc.

it is only one row, but we need 3-4 hours to make new distributions,
and sometimes are servers and instalations on other site world, and people have to wait their system administrator will wake up and make update of ".exe".
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 6049 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!