develooper Front page | perl.perl5.porters | Postings from March 2013

CVE-2013-1667: important rehashing flaw

Thread Next
From:
Ricardo Signes
Date:
March 4, 2013 15:20
Subject:
CVE-2013-1667: important rehashing flaw
Message ID:
20130304152011.GA30754@cancer.codesimply.com

The following message concerns a hash-related flaw in perl 5, which has been
assigned CVE-2013-1667.

In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash.  This mechanism has made perl robust against attacks that have
been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior.  This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we
urge users of perl to update their perl executable as soon as possible.
Updates to address this issue have bene pushed to main-5.8, maint-5.10,
maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
of this problem two weeks ago and are expected to be shipping updates today (or
otherwise very soon).

bleadperl is not affected.

This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
does not affect the upcoming perl 5.18.

This issue has been assigned the identifier CVE-2013-1667.

In the next few weeks, expect to see a more detailed post from researcher Yves
Orton or me.

--
rjbs


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About