|Summary:||<dev-lang/ruby-1.8.7_p357, dev-lang/ruby-enterprise Hash collision DoS (CVE-2011-4815)|
|Product:||Gentoo Security||Reporter:||Hans de Graaff <graaff>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Hans de Graaff 2011-12-28 13:50:09 UTC
"The situation is similar to the one found for Perl in 2003. In 1.8 series of Ruby, we use a deterministic hash function to hash a string. Here the "deterministic" means no other bits of information than the input string itself is involved to generate a hash value. So you can precalculate a string's hash value beforehand. By collecting a series of strings that have the identical hash value, an attacker can let ruby process collide bins of hash tables (including Hash class instances). Hash tables' amortized O(1) attribute depends on uniformity of distribution of hash values. By giving such crafted input, an attacker can let hash tables work much slower than expected (namely O(n2) to construct a n-elements table this case)." ruby 1.9 is not affected. It's likely that ruby-enterprise-edition is also affected, but that has not been confirmed.
Comment 1 Alex Legler (RETIRED) 2011-12-28 14:26:24 UTC
ruby-enterprise uses the same code.
Comment 2 Hans de Graaff 2011-12-28 14:37:45 UTC
I have a version of dev-lang/ruby-1.8.7_p357 locally that I will test first.
Comment 3 Alex Legler (RETIRED) 2011-12-28 17:38:38 UTC
Arches, please test and mark stable: =dev-lang/ruby-1.8.7_p357 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 teidakankan 2011-12-28 22:47:30 UTC
I needed this glibc patch to compile this on ~x86: https://bugs.gentoo.org/show_bug.cgi?id=370413
Comment 5 Geoff Madden 2011-12-29 07:56:15 UTC
Hi I placed spanky's patch into /etc/portage/patches/sys-libs/glibc. Although the path is mentioned in /var/tmp/portage/sys-libs/glibc-2.14-r1,epatch_user.applied on checking the log file the 0068******* isn't mentioned at the top of the patches. So my question is what did I miss doing,or should I read further down. Geoff
Comment 6 Agostino Sarubbo 2011-12-29 09:55:12 UTC
Comment 7 Roman Porizka 2011-12-29 15:03:57 UTC
Could not compile ruby 1.8.7_p357, because of: cp ../.././ext/dl/lib/dl/import.rb ../../.ext/common/dl cp ../.././ext/dl/lib/dl/struct.rb ../../.ext/common/dl cp ../.././ext/dl/lib/dl/win32.rb ../../.ext/common/dl cp ../.././ext/dl/lib/dl/types.rb ../../.ext/common/dl In file included from dl.c:104:0: callback.func:1:1: warning: data definition has no type or storage class callback.func:1:7: error: expected identifier or ‘(’ before ‘long’ In file included from dl.c:104:0: callback.func:78:33: error: expected ‘)’ before ‘(’ token callback.func:79:3: warning: data definition has no type or storage class callback.func:79:24: error: ‘proc’ undeclared here (not in a function) callback.func:79:39: error: ‘argc’ undeclared here (not in a function) callback.func:79:45: error: ‘argv’ undeclared here (not in a function) callback.func:82:1: error: expected identifier or ‘(’ before ‘}’ token dl.c:106:1: error: expected ‘;’, ‘,’ or ‘)’ before ‘static’ make: *** [dl.o] Error 1 make: *** Waiting for unfinished jobs.... Found that it is known problem see for example: http://aur.archlinux.org/packages.php?ID=30221
Comment 8 Alex Legler (RETIRED) 2011-12-29 15:07:36 UTC
(In reply to comment #7) > callback.func:1:7: error: expected identifier or ‘(’ before ‘long’ ... PLEASE DO NOT report this error any more. The issue is known, has a fix and is just waiting for a glibc patch. Thanks.
Comment 9 Mark Loeser (RETIRED) 2011-12-29 20:28:15 UTC
Comment 10 Jeroen Roovers (RETIRED) 2011-12-30 03:53:42 UTC
Stable for HPPA.
Comment 11 GLSAMaker/CVETool Bot 2012-01-02 18:59:48 UTC
CVE-2011-4815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4815): Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Comment 12 Paweł Hajdan, Jr. (RETIRED) 2012-01-04 17:37:39 UTC
Comment 13 Raúl Porcel (RETIRED) 2012-01-08 15:39:41 UTC
Comment 14 Tim Sammut (RETIRED) 2012-01-08 19:03:38 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 15 Hans de Graaff 2012-03-02 08:24:56 UTC
This is also fixed in ruby-enterprise 1.8.7-2012.02 which got released about a week ago.
Comment 16 Sean Amoss (RETIRED) 2012-03-02 20:42:48 UTC
Added to existing GLSA request.
Comment 17 Dion Moult (RETIRED) 2013-03-24 11:13:48 UTC
A quick note that dev-lang/ruby-enterprise has been treecleaned, so it is no longer relevant to this bug.
Comment 18 GLSAMaker/CVETool Bot 2014-12-13 19:23:24 UTC
This issue was resolved and addressed in GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml by GLSA coordinator Sean Amoss (ackle).