Summary: | dev-lang/rubinius: Hash collision DoS (CVE-2012-5372) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | glsamaker, ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.ocert.org/advisories/ocert-2011-003.html | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 396397 |
Description
Alex Legler (RETIRED)
2011-12-29 10:20:30 UTC
Patch available at https://github.com/rubinius/rubinius/commit/a9a40fc6a1256bcf6382631b710430105c5dd868 but it looks like it adds a dependency in the process. *** Bug 445342 has been marked as a duplicate of this bug. *** (In reply to GLSAMaker/CVETool Bot from comment #0) > CVE-2012-5372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5372): > Rubinius computes hash values without properly restricting the ability to > trigger hash collisions predictably, which allows context-dependent > attackers to cause a denial of service (CPU consumption) via crafted input > to an application that maintains a hash table, as demonstrated by a > universal multicollision attack against the MurmurHash3 algorithm. Vulnerable ebuilds have been removed. Package was never put into stable. GLSA coordinators: Please resolve this bug. |