develooper Front page | perl.perl5.porters | Postings from March 2013

Re: CVE-2013-1667: important rehashing flaw

Thread Previous | Thread Next
From:
demerphq
Date:
March 5, 2013 12:32
Subject:
Re: CVE-2013-1667: important rehashing flaw
Message ID:
CANgJU+Ukw3wd+bUq5Mg8RpMvtMPPDTchMgsuGshOwqrumccaaA@mail.gmail.com
On 4 March 2013 16:20, Ricardo Signes <perl.p5p@rjbs.manxome.org> wrote:
>
> The following message concerns a hash-related flaw in perl 5, which has been
> assigned CVE-2013-1667.
>
> In order to prevent an algorithmic complexity attack against its hashing
> mechanism, perl will sometimes recalculate keys and redistribute the contents
> of a hash.  This mechanism has made perl robust against attacks that have
> been demonstrated against other systems.
>
> Research by Yves Orton has recently uncovered a flaw in the rehashing code
> which can result in pathological behavior.  This flaw could be exploited to
> carry out a denial of service attack against code that uses arbitrary user
> input as hash keys.
>
> Because using user-provided strings as hash keys is a very common operation, we
> urge users of perl to update their perl executable as soon as possible.
> Updates to address this issue have bene pushed to main-5.8, maint-5.10,
> maint-5.12, maint-5.14, and maint-5.16 branches today.  Vendors* were informed
> of this problem two weeks ago and are expected to be shipping updates today (or
> otherwise very soon).
>
> bleadperl is not affected.
>
> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It
> does not affect the upcoming perl 5.18.
>
> This issue has been assigned the identifier CVE-2013-1667.
>
> In the next few weeks, expect to see a more detailed post from researcher Yves
> Orton or me.

I was thinking I would release a full-disclosure document in the
middle to last week of march.

That was vendors have a bit longer to patch before we release the full details.

Yves


-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About