CVE-2013-1667: important rehashing flaw

Toby Wintermute tjc at wintrmute.net
Tue Mar 12 04:52:08 GMT 2013


I note that while 5.16.3 is visible on CPAN, no-one seems to have
updated perl.org yet - it still offers 5.16.2 as the latest release
for download.

On 5 March 2013 02:26, Nicholas Clark <nick at ccl4.org> wrote:
> Technically this is off topic:
>
> ----- Forwarded message from Ricardo Signes <perl.p5p at rjbs.manxome.org> -----
>
> Date: Mon, 4 Mar 2013 10:20:11 -0500
> From: Ricardo Signes <perl.p5p at rjbs.manxome.org>
> To: perl5-porters at perl.org
> Subject: CVE-2013-1667: important rehashing flaw
> User-Agent: Mutt/1.5.21 (2010-09-15)
>
>
> The following message concerns a hash-related flaw in perl 5, which has been
> assigned CVE-2013-1667.
>
> In order to prevent an algorithmic complexity attack against its hashing
> mechanism, perl will sometimes recalculate keys and redistribute the contents
> of a hash.  This mechanism has made perl robust against attacks that have
> been demonstrated against other systems.
>
> Research by Yves Orton has recently uncovered a flaw in the rehashing code
> which can result in pathological behavior.  This flaw could be exploited to
> carry out a denial of service attack against code that uses arbitrary user
> input as hash keys.
>
> Because using user-provided strings as hash keys is a very common operation, we
> urge users of perl to update their perl executable as soon as possible.
> Updates to address this issue have bene pushed to main-5.8, maint-5.10,
> maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
> of this problem two weeks ago and are expected to be shipping updates today (or
> otherwise very soon).
>
> bleadperl is not affected.
>
> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
> does not affect the upcoming perl 5.18.
>
> This issue has been assigned the identifier CVE-2013-1667.
>
> In the next few weeks, expect to see a more detailed post from researcher Yves
> Orton or me.
>
> --
> rjbs
>
>
>
> ----- End forwarded message -----
>
>
> You will be wanting to be sure that this one is patched, either by your
> vendor, or locally if you maintain your own build. The fix is under 40 lines,
> most of which is *deleting* code and comments.
>
> If you know how to attack it, the results are pretty ugly, and pretty much
> impossible to mitigate in user code. Right now, we don't think that anyone
> *else* knows how to do it. You're only safe from DOS as long as this remains
> the case.
>
> Nicholas Clark



-- 
Turning and turning in the widening gyre
The falcon cannot hear the falconer
Things fall apart; the center cannot hold
Mere anarchy is loosed upon the world


More information about the london.pm mailing list