CVE-2013-1667: important rehashing flaw

Leo Lapworth leo at cuckoo.org
Tue Mar 12 08:58:37 GMT 2013


All updated now

Leo

On 12 March 2013 04:52, Toby Wintermute <tjc at wintrmute.net> wrote:
> I note that while 5.16.3 is visible on CPAN, no-one seems to have
> updated perl.org yet - it still offers 5.16.2 as the latest release
> for download.
>
> On 5 March 2013 02:26, Nicholas Clark <nick at ccl4.org> wrote:
>> Technically this is off topic:
>>
>> ----- Forwarded message from Ricardo Signes <perl.p5p at rjbs.manxome.org> -----
>>
>> Date: Mon, 4 Mar 2013 10:20:11 -0500
>> From: Ricardo Signes <perl.p5p at rjbs.manxome.org>
>> To: perl5-porters at perl.org
>> Subject: CVE-2013-1667: important rehashing flaw
>> User-Agent: Mutt/1.5.21 (2010-09-15)
>>
>>
>> The following message concerns a hash-related flaw in perl 5, which has been
>> assigned CVE-2013-1667.
>>
>> In order to prevent an algorithmic complexity attack against its hashing
>> mechanism, perl will sometimes recalculate keys and redistribute the contents
>> of a hash.  This mechanism has made perl robust against attacks that have
>> been demonstrated against other systems.
>>
>> Research by Yves Orton has recently uncovered a flaw in the rehashing code
>> which can result in pathological behavior.  This flaw could be exploited to
>> carry out a denial of service attack against code that uses arbitrary user
>> input as hash keys.
>>
>> Because using user-provided strings as hash keys is a very common operation, we
>> urge users of perl to update their perl executable as soon as possible.
>> Updates to address this issue have bene pushed to main-5.8, maint-5.10,
>> maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
>> of this problem two weeks ago and are expected to be shipping updates today (or
>> otherwise very soon).
>>
>> bleadperl is not affected.
>>
>> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
>> does not affect the upcoming perl 5.18.
>>
>> This issue has been assigned the identifier CVE-2013-1667.
>>
>> In the next few weeks, expect to see a more detailed post from researcher Yves
>> Orton or me.
>>
>> --
>> rjbs
>>
>>
>>
>> ----- End forwarded message -----
>>
>>
>> You will be wanting to be sure that this one is patched, either by your
>> vendor, or locally if you maintain your own build. The fix is under 40 lines,
>> most of which is *deleting* code and comments.
>>
>> If you know how to attack it, the results are pretty ugly, and pretty much
>> impossible to mitigate in user code. Right now, we don't think that anyone
>> *else* knows how to do it. You're only safe from DOS as long as this remains
>> the case.
>>
>> Nicholas Clark
>
>
>
> --
> Turning and turning in the widening gyre
> The falcon cannot hear the falconer
> Things fall apart; the center cannot hold
> Mere anarchy is loosed upon the world


More information about the london.pm mailing list