CVE-2013-1667: important rehashing flaw
nick at ccl4.org
Mon Mar 4 15:26:35 GMT 2013
Technically this is off topic:
----- Forwarded message from Ricardo Signes <perl.p5p at rjbs.manxome.org> -----
Date: Mon, 4 Mar 2013 10:20:11 -0500
From: Ricardo Signes <perl.p5p at rjbs.manxome.org>
To: perl5-porters at perl.org
Subject: CVE-2013-1667: important rehashing flaw
User-Agent: Mutt/1.5.21 (2010-09-15)
The following message concerns a hash-related flaw in perl 5, which has been
In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash. This mechanism has made perl robust against attacks that have
been demonstrated against other systems.
Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior. This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.
Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).
bleadperl is not affected.
This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
does not affect the upcoming perl 5.18.
This issue has been assigned the identifier CVE-2013-1667.
In the next few weeks, expect to see a more detailed post from researcher Yves
Orton or me.
----- End forwarded message -----
You will be wanting to be sure that this one is patched, either by your
vendor, or locally if you maintain your own build. The fix is under 40 lines,
most of which is *deleting* code and comments.
If you know how to attack it, the results are pretty ugly, and pretty much
impossible to mitigate in user code. Right now, we don't think that anyone
*else* knows how to do it. You're only safe from DOS as long as this remains
More information about the london.pm