Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 399089 (CVE-2012-0840)

Summary: <dev-libs/apr-1.4.8-r1: Hash collision DoS (CVE-2012-0840)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexanderyt, apache-bugs, n0idx80, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=781606
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 477296    
Bug Blocks: 396397    

Description Agostino Sarubbo gentoo-dev 2012-01-16 16:16:27 UTC 
From red hat bugzilla at $URL:

Description:
Julian Wälde and Alexander Klink reported a way to degrade performance of the
Java Hashtable implementation by filling the hash table with keys with
identical hash codes - see bug #770929 for details.

The apr developers are looking at adding randomization [1] to apr to mitigate
such attacks.  It is unknown how such attacks may be mounted against
applications using libapr, or what the result might be, but the developers are
discussing how best to address this.  There is currently no formal patch or
commit to apr.

[1] http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html


Solution:
http://svn.apache.org/viewvc?view=revision&revision=1231605
http://svn.apache.org/viewvc?view=revision&revision=1231858
Comment 1 Arfrever Frehtes Taifersar Arahesis 2012-01-16 21:09:26 UTC 
Discussion on APR development mailing list seems to imply that the fix is incompatible and will never be backported to APR 1.*.
Comment 4 Arfrever Frehtes Taifersar Arahesis 2012-02-28 11:20:18 UTC 
APR project says that there is no security vulnerability:
http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:37:12 UTC 
*** Bug 403731 has been marked as a duplicate of this bug. ***
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:43:46 UTC 
Oh, what would security be without drama? ;)

From that last link:

> Contrary to Mr Seifreid's confusion, the recent code
> changes reflect a possibility of mitigating potential hash collisions,
> but certainly do not and can not eliminate such risks, and it is up to
> the developer to select appropriate storage and lookup mechansims for
> their specific problem domain.

@apache, am I correct believe these changes are in 1.4.6? And shall we stabilize this for good measure? Thanks much.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:58:57 UTC 
@apache, Arfrever pointed out to me that these changes in APR may cause downstream tests to fail. The example shared was:

https://svn.apache.org/viewvc?view=revision&revision=1293602

Thanks, Arfrever.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 20:05:19 UTC 
@maintainers: okay to stable apr-1.4.8-r1 on sh in order to drop 1.4.5?
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 17:56:10 UTC 
sh -> ~arch, no longer a concern. @maintainers: please drop affected, will remove in 30 days if no response. GLSA vote: no.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-25 21:04:42 UTC 
Stabilization completed in 477296. 

GLSA vote: yes. I had an existing draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:54:18 UTC 
This issue was resolved and addressed in
 GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml
by GLSA coordinator Sean Amoss (ackle).