develooper Front page | perl.perl5.porters | Postings from March 2013

Re: CVE-2013-1667: important rehashing flaw

Thread Previous | Thread Next
March 5, 2013 12:32
Re: CVE-2013-1667: important rehashing flaw
Message ID:
On 4 March 2013 16:20, Ricardo Signes <> wrote:
> The following message concerns a hash-related flaw in perl 5, which has been
> assigned CVE-2013-1667.
> In order to prevent an algorithmic complexity attack against its hashing
> mechanism, perl will sometimes recalculate keys and redistribute the contents
> of a hash.  This mechanism has made perl robust against attacks that have
> been demonstrated against other systems.
> Research by Yves Orton has recently uncovered a flaw in the rehashing code
> which can result in pathological behavior.  This flaw could be exploited to
> carry out a denial of service attack against code that uses arbitrary user
> input as hash keys.
> Because using user-provided strings as hash keys is a very common operation, we
> urge users of perl to update their perl executable as soon as possible.
> Updates to address this issue have bene pushed to main-5.8, maint-5.10,
> maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
> of this problem two weeks ago and are expected to be shipping updates today (or
> otherwise very soon).
> bleadperl is not affected.
> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
> does not affect the upcoming perl 5.18.
> This issue has been assigned the identifier CVE-2013-1667.
> In the next few weeks, expect to see a more detailed post from researcher Yves
> Orton or me.

I was thinking I would release a full-disclosure document in the
middle to last week of march.

That was vendors have a bit longer to patch before we release the full details.


perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About