Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 403731

Summary: <dev-libs/apr-1.4.6 APR library hash value predictability DoS (CVE-2012-0840)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: minor CC: apache-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0840
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description Michael Harrison 2012-02-15 00:09:08 UTC 
A vulnerability has been found and corrected in ASF APR:

tables/apr_hash.c in the Apache Portable Runtime (APR) library through
1.4.5 computes hash values without restricting the ability to trigger
hash collisions predictably, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via crafted input to
an application that maintains a hash table (CVE-2012-0840).

APR has been upgraded to the latest version (1.4.6) which holds many 
improvements over the previous versions and is not vulnerable to this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0840
http://www.apache.org/dist/apr/CHANGES-APR-1.4
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:11:45 UTC 
CVE-2012-0840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0840):
  tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5
  computes hash values without restricting the ability to trigger hash
  collisions predictably, which allows context-dependent attackers to cause a
  denial of service (CPU consumption) via crafted input to an application that
  maintains a hash table.
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2012-02-28 08:08:54 UTC 
dev-libs/apr-1.4.6 is now in gentoo-x86.
Comment 3 Arfrever Frehtes Taifersar Arahesis 2012-02-28 11:20:56 UTC 
Duplicate of bug #399089.

APR project says that there is no security vulnerability:
http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:37:12 UTC 

*** This bug has been marked as a duplicate of bug 399089 ***