Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 405959 (CVE-2012-0839) - <dev-ml/ocamlnet-3.5: Hash collision DoS vulnerability (CVE-2012-0839)
Summary: <dev-ml/ocamlnet-3.5: Hash collision DoS vulnerability (CVE-2012-0839)
Status: RESOLVED FIXED
Alias: CVE-2012-0839
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-26 20:19 UTC by GLSAMaker/CVETool Bot
Modified: 2012-08-14 16:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 20:19:11 UTC 
CVE-2012-0839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0839):
  OCaml 3.12.1 and earlier computes hash values without restricting the
  ability to trigger hash collisions predictably, which allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  via crafted input to an application that maintains a hash table.


More information: http://www.mail-archive.com/caml-list@inria.fr/msg01477.html
Comment 1 Alexis Ballier gentoo-dev 2012-02-28 12:53:43 UTC 
I dont understand what you expect here, ocaml is a language and dev-lang/ocaml its compiler and interpreter; you wouldnt blame gcc because 'while(1)' is allowed in C...
Comment 2 Alexis Ballier gentoo-dev 2012-02-28 12:59:31 UTC 
things like this can be relevant though, but its rather at application level than compiler level:

011-12-30 Gerd Stolpmann <gerd@gerd-stolpmann.de>

        * Security: adding limit max_arguments to Netcgi. This is more
          a general measure of precaution against DoS attacks where
          a specially crafted POST request contains many keys that
          collide massively in the hash table. Actually, Ocamlnet is
          not directly vulnerable; however, application programs can
          nevertheless be when they access a degenerated hash table.

(changelog of dev-ml/ocamlnet-3.5)
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:06:35 UTC 
(In reply to comment #2)
> things like this can be relevant though, but its rather at application level
> than compiler level:
> 
> 011-12-30 Gerd Stolpmann <gerd@gerd-stolpmann.de>
> 
>         * Security: adding limit max_arguments to Netcgi. This is more
>           a general measure of precaution against DoS attacks where
>           a specially crafted POST request contains many keys that
>           collide massively in the hash table. Actually, Ocamlnet is
>           not directly vulnerable; however, application programs can
>           nevertheless be when they access a degenerated hash table.
> 
> (changelog of dev-ml/ocamlnet-3.5)

Thanks for this. Can we move forward and stabilize =dev-ml/ocamlnet-3.5?
Comment 4 Alexis Ballier gentoo-dev 2012-02-29 22:32:38 UTC 
(In reply to comment #3)

> Thanks for this. Can we move forward and stabilize =dev-ml/ocamlnet-3.5?

yes
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:34:03 UTC 
Arches, please test and mark stable:
=dev-ml/ocamlnet-3.5
Target keywords : "amd64 ppc x86"
Comment 6 Agostino Sarubbo gentoo-dev 2012-03-02 15:03:15 UTC 
amd64 stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-03-15 18:21:37 UTC 
x86 stable
Comment 8 Michael Weber (RETIRED) gentoo-dev 2012-06-14 17:54:00 UTC 
ppc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-14 19:11:54 UTC 
Thanks, everyone. 

GLSA vote: yes.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-06-16 22:59:34 UTC 
GLSA Vote: no.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:02:29 UTC 
NO too, closing.