CVE-2013-1667: important rehashing flaw

Leo Lapworth leo at
Tue Mar 12 08:58:37 GMT 2013

All updated now


On 12 March 2013 04:52, Toby Wintermute <tjc at> wrote:
> I note that while 5.16.3 is visible on CPAN, no-one seems to have
> updated yet - it still offers 5.16.2 as the latest release
> for download.
> On 5 March 2013 02:26, Nicholas Clark <nick at> wrote:
>> Technically this is off topic:
>> ----- Forwarded message from Ricardo Signes <perl.p5p at> -----
>> Date: Mon, 4 Mar 2013 10:20:11 -0500
>> From: Ricardo Signes <perl.p5p at>
>> To: perl5-porters at
>> Subject: CVE-2013-1667: important rehashing flaw
>> User-Agent: Mutt/1.5.21 (2010-09-15)
>> The following message concerns a hash-related flaw in perl 5, which has been
>> assigned CVE-2013-1667.
>> In order to prevent an algorithmic complexity attack against its hashing
>> mechanism, perl will sometimes recalculate keys and redistribute the contents
>> of a hash.  This mechanism has made perl robust against attacks that have
>> been demonstrated against other systems.
>> Research by Yves Orton has recently uncovered a flaw in the rehashing code
>> which can result in pathological behavior.  This flaw could be exploited to
>> carry out a denial of service attack against code that uses arbitrary user
>> input as hash keys.
>> Because using user-provided strings as hash keys is a very common operation, we
>> urge users of perl to update their perl executable as soon as possible.
>> Updates to address this issue have bene pushed to main-5.8, maint-5.10,
>> maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
>> of this problem two weeks ago and are expected to be shipping updates today (or
>> otherwise very soon).
>> bleadperl is not affected.
>> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
>> does not affect the upcoming perl 5.18.
>> This issue has been assigned the identifier CVE-2013-1667.
>> In the next few weeks, expect to see a more detailed post from researcher Yves
>> Orton or me.
>> --
>> rjbs
>> ----- End forwarded message -----
>> You will be wanting to be sure that this one is patched, either by your
>> vendor, or locally if you maintain your own build. The fix is under 40 lines,
>> most of which is *deleting* code and comments.
>> If you know how to attack it, the results are pretty ugly, and pretty much
>> impossible to mitigate in user code. Right now, we don't think that anyone
>> *else* knows how to do it. You're only safe from DOS as long as this remains
>> the case.
>> Nicholas Clark
> --
> Turning and turning in the widening gyre
> The falcon cannot hear the falconer
> Things fall apart; the center cannot hold
> Mere anarchy is loosed upon the world

More information about the mailing list