Bug 396399 (CVE-2012-5372)

Summary:	dev-lang/rubinius: Hash collision DoS (CVE-2012-5372)
Product:	Gentoo Security	Reporter:	Alex Legler (RETIRED) <a3li>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	glsamaker, ruby
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.ocert.org/advisories/ocert-2011-003.html
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	396397

Description Alex Legler (RETIRED) archtester

2011-12-29 10:20:30 UTC

Specially crafted POST parameters can be used to cause hash table operations
with a time complexity of O(n^2), causing a Denial of Service.

As per $URL, Rubinius is affected. There is no CVE assigned yet for this flaw in Rubinius.

Comment 1 Chris Reffett (RETIRED) gentoo-dev

2013-10-04 20:56:45 UTC

Patch available at https://github.com/rubinius/rubinius/commit/a9a40fc6a1256bcf6382631b710430105c5dd868 but it looks like it adds a dependency in the process.

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2015-07-02 09:30:48 UTC

*** Bug 445342 has been marked as a duplicate of this bug. ***

Comment 3 Manuel Rüger (RETIRED) gentoo-dev

2015-07-02 09:31:09 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2012-5372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5372):
>   Rubinius computes hash values without properly restricting the ability to
>   trigger hash collisions predictably, which allows context-dependent
>   attackers to cause a denial of service (CPU consumption) via crafted input
>   to an application that maintains a hash table, as demonstrated by a
>   universal multicollision attack against the MurmurHash3 algorithm.

Comment 4 Manuel Rüger (RETIRED) gentoo-dev

2015-07-02 09:35:01 UTC

Vulnerable ebuilds have been removed. Package was never put into stable.

GLSA coordinators: Please resolve this bug.