CVE-2013-1667: important rehashing flaw

Toby Wintermute tjc at
Tue Mar 12 04:52:08 GMT 2013

I note that while 5.16.3 is visible on CPAN, no-one seems to have
updated yet - it still offers 5.16.2 as the latest release
for download.

On 5 March 2013 02:26, Nicholas Clark <nick at> wrote:
> Technically this is off topic:
> ----- Forwarded message from Ricardo Signes <perl.p5p at> -----
> Date: Mon, 4 Mar 2013 10:20:11 -0500
> From: Ricardo Signes <perl.p5p at>
> To: perl5-porters at
> Subject: CVE-2013-1667: important rehashing flaw
> User-Agent: Mutt/1.5.21 (2010-09-15)
> The following message concerns a hash-related flaw in perl 5, which has been
> assigned CVE-2013-1667.
> In order to prevent an algorithmic complexity attack against its hashing
> mechanism, perl will sometimes recalculate keys and redistribute the contents
> of a hash.  This mechanism has made perl robust against attacks that have
> been demonstrated against other systems.
> Research by Yves Orton has recently uncovered a flaw in the rehashing code
> which can result in pathological behavior.  This flaw could be exploited to
> carry out a denial of service attack against code that uses arbitrary user
> input as hash keys.
> Because using user-provided strings as hash keys is a very common operation, we
> urge users of perl to update their perl executable as soon as possible.
> Updates to address this issue have bene pushed to main-5.8, maint-5.10,
> maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
> of this problem two weeks ago and are expected to be shipping updates today (or
> otherwise very soon).
> bleadperl is not affected.
> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
> does not affect the upcoming perl 5.18.
> This issue has been assigned the identifier CVE-2013-1667.
> In the next few weeks, expect to see a more detailed post from researcher Yves
> Orton or me.
> --
> rjbs
> ----- End forwarded message -----
> You will be wanting to be sure that this one is patched, either by your
> vendor, or locally if you maintain your own build. The fix is under 40 lines,
> most of which is *deleting* code and comments.
> If you know how to attack it, the results are pretty ugly, and pretty much
> impossible to mitigate in user code. Right now, we don't think that anyone
> *else* knows how to do it. You're only safe from DOS as long as this remains
> the case.
> Nicholas Clark

Turning and turning in the widening gyre
The falcon cannot hear the falconer
Things fall apart; the center cannot hold
Mere anarchy is loosed upon the world

More information about the mailing list