Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399089 (CVE-2012-0840) - <dev-libs/apr-1.4.8-r1: Hash collision DoS (CVE-2012-0840)
Summary: <dev-libs/apr-1.4.8-r1: Hash collision DoS (CVE-2012-0840)
Alias: CVE-2012-0840
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 403731 (view as bug list)
Depends on: 477296
Blocks: hashDoS
  Show dependency tree
Reported: 2012-01-16 16:16 UTC by Agostino Sarubbo
Modified: 2014-05-18 17:54 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-16 16:16:27 UTC
From red hat bugzilla at $URL:

Julian Wälde and Alexander Klink reported a way to degrade performance of the
Java Hashtable implementation by filling the hash table with keys with
identical hash codes - see bug #770929 for details.

The apr developers are looking at adding randomization [1] to apr to mitigate
such attacks.  It is unknown how such attacks may be mounted against
applications using libapr, or what the result might be, but the developers are
discussing how best to address this.  There is currently no formal patch or
commit to apr.


Comment 1 Arfrever Frehtes Taifersar Arahesis 2012-01-16 21:09:26 UTC
Discussion on APR development mailing list seems to imply that the fix is incompatible and will never be backported to APR 1.*.
Comment 4 Arfrever Frehtes Taifersar Arahesis 2012-02-28 11:20:18 UTC
APR project says that there is no security vulnerability:
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:37:12 UTC
*** Bug 403731 has been marked as a duplicate of this bug. ***
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:43:46 UTC
Oh, what would security be without drama? ;)

From that last link:

> Contrary to Mr Seifreid's confusion, the recent code
> changes reflect a possibility of mitigating potential hash collisions,
> but certainly do not and can not eliminate such risks, and it is up to
> the developer to select appropriate storage and lookup mechansims for
> their specific problem domain.

@apache, am I correct believe these changes are in 1.4.6? And shall we stabilize this for good measure? Thanks much.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:58:57 UTC
@apache, Arfrever pointed out to me that these changes in APR may cause downstream tests to fail. The example shared was:

Thanks, Arfrever.
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 20:05:19 UTC
@maintainers: okay to stable apr-1.4.8-r1 on sh in order to drop 1.4.5?
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-25 17:56:10 UTC
sh -> ~arch, no longer a concern. @maintainers: please drop affected, will remove in 30 days if no response. GLSA vote: no.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-25 21:04:42 UTC
Stabilization completed in 477296. 

GLSA vote: yes. I had an existing draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:54:18 UTC
This issue was resolved and addressed in
 GLSA 201405-24 at
by GLSA coordinator Sean Amoss (ackle).