Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 396399 (CVE-2012-5372)

Summary: dev-lang/rubinius: Hash collision DoS (CVE-2012-5372)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: glsamaker, ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 396397    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-29 10:20:30 UTC
Specially crafted POST parameters can be used to cause hash table operations
with a time complexity of O(n^2), causing a Denial of Service.

As per $URL, Rubinius is affected. There is no CVE assigned yet for this flaw in Rubinius.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-04 20:56:45 UTC
Patch available at but it looks like it adds a dependency in the process.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2015-07-02 09:30:48 UTC
*** Bug 445342 has been marked as a duplicate of this bug. ***
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-07-02 09:31:09 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2012-5372 (
>   Rubinius computes hash values without properly restricting the ability to
>   trigger hash collisions predictably, which allows context-dependent
>   attackers to cause a denial of service (CPU consumption) via crafted input
>   to an application that maintains a hash table, as demonstrated by a
>   universal multicollision attack against the MurmurHash3 algorithm.
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2015-07-02 09:35:01 UTC
Vulnerable ebuilds have been removed. Package was never put into stable.

GLSA coordinators: Please resolve this bug.