Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 396329 (CVE-2012-1150)

Summary: <dev-lang/python-{2.6.8,2.7.3-r1,3.1.5,3.2.3} Hash collision DoS (CVE-2012-1150)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 396397    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-28 16:06:15 UTC 
+++ This bug was initially created as a clone of Bug #396311 +++

See $URL for a more elaborate explanation, I'll update this with more detail later.

Specially crafted POST parameters can be used to cause hash table operations with a time complexity of O(n^2), causing a Denial of Service.

Python upstream has yet to comment on the issue.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2011-12-28 16:14:39 UTC 
I've sent email to security@python.org.
Comment 2 Viorel Tabara 2012-02-01 00:01:53 UTC 
Upstream tracking bug: http://bugs.python.org/issue13703
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-04-12 12:56:48 UTC 
Upstream have released new versions of Python that include a hash randomization feature. 

This feature is NOT enabled by default, a comment on LWN's news item [1] suggests that starting 3.3, it will be default.

Python team: Bump time.

[1] http://lwn.net/Articles/491939/
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2012-04-12 13:04:30 UTC 
2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll likely get to 3.2.3 tomorrow.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-04-14 06:06:01 UTC 
(In reply to comment #4)
> 2.7.3 is ready and waiting for the mirrors to circulate the patchset. I'll
> likely get to 3.2.3 tomorrow.

Thanks. Would 3.2.3 be a target for stabilization? Or, asked another way, shall we stabilize just 2.7.3 here, or wait and stabilize 2.7.3 and 3.2.3 together?
Comment 6 Mike Gilbert gentoo-dev 2012-04-26 16:33:45 UTC 
+*python-3.1.5 (26 Apr 2012)
+*python-2.7.3-r1 (26 Apr 2012)
+*python-3.2.3 (26 Apr 2012)
+*python-2.6.8 (26 Apr 2012)
+
+  26 Apr 2012; Mike Gilbert <floppym@gentoo.org> +python-2.6.8.ebuild,
+  +python-2.7.3-r1.ebuild, +python-3.1.5.ebuild, +python-3.2.3.ebuild:
+  Version bumps for security bug 396329. Ebuilds and patchsets based on work by
+  Arfrever in Progress overlay.
+

I think it would be appropriate to stabilize all 4 versions above.
Comment 7 Dirkjan Ochtman (RETIRED) gentoo-dev 2012-04-27 12:39:03 UTC 
I'd prefer to hold off on stabilization for a little bit, while we discuss the patch set.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-05-11 15:18:44 UTC 
Hi, folks. Shall we move forward with stabilization now? Tnx.
Comment 9 Dirkjan Ochtman (RETIRED) gentoo-dev 2012-05-11 15:49:07 UTC 
Yes, please.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-05-11 15:56:54 UTC 
Great, thanks.

Arches, please test and mark stable:
=dev-lang/python-2.6.8
=dev-lang/python-2.7.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

=dev-lang/python-3.1.5
=dev-lang/python-3.2.3
Target keywords : "amd64 hppa ppc ppc64 x86"

@python is that correct, or should we be targeting 3.2.3-r1 and 2.7.3-r2 instead?
Comment 11 Arfrever Frehtes Taifersar Arahesis 2012-05-11 16:04:07 UTC 
The fix for security vulnerability is incomplete:
http://bugs.python.org/issue14621
Comment 12 Dirkjan Ochtman (RETIRED) gentoo-dev 2012-05-11 16:08:33 UTC 
We shouldn't delay stabilization over comment 11.
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-12 11:00:32 UTC 
Stable on alpha:

=dev-lang/python-2.6.8
=dev-lang/python-2.7.3-r1
Comment 14 Maurizio Camisaschi (amd64 AT) 2012-05-13 15:45:13 UTC 
amd64 ok
Comment 15 Agostino Sarubbo gentoo-dev 2012-05-14 16:37:10 UTC 
amd64 stable, thanks k01 for testing
Comment 16 Mark Loeser (RETIRED) gentoo-dev 2012-05-14 21:13:44 UTC 
ppc/ppc64 done
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-16 14:15:08 UTC 
Stable for HPPA.
Comment 18 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-17 08:40:09 UTC 
x86 stable
Comment 19 Markus Meier gentoo-dev 2012-05-26 10:43:02 UTC 
arm stable
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2012-05-26 17:26:17 UTC 
ia64/m68k/s390/sh/sparc stable
Comment 21 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-26 18:55:42 UTC 
Thanks, everyone. 

Added to existing GLSA request.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2012-10-07 23:16:47 UTC 
CVE-2012-1150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1150):
  Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before
  3.2.3 computes hash values without restricting the ability to trigger hash
  collisions predictably, which allows context-dependent attackers to cause a
  denial of service (CPU consumption) via crafted input to an application that
  maintains a hash table.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2014-01-06 21:28:04 UTC 
This issue was resolved and addressed in
 GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).