Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442580 (CVE-2012-5371) - <dev-lang/ruby-1.9.3_p392: hash-flooding DoS (CVE-2012-5371)
Summary: <dev-lang/ruby-1.9.3_p392: hash-flooding DoS (CVE-2012-5371)
Alias: CVE-2012-5371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 445200 (view as bug list)
Depends on: CVE-2013-0269
  Show dependency tree
Reported: 2012-11-10 10:14 UTC by Agostino Sarubbo
Modified: 2014-12-13 19:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-10 10:14:17 UTC
From :

Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x 
and the 2.0.0 preview [1].

As noted in the upstream report:

Carefully crafted sequence of strings can cause a denial of service attack on the service that 
parses the sequence to create a Hash object by using the strings as keys. For instance, this 
vulnerability affects web application that parses the JSON data sent from untrusted entity.

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using 
modified MurmurHash function but it's reported that there is a way to create sequence of strings 
that collide their hash values each other. This fix changes the Hash function of String object from 
the MurmurHash to SipHash 2-4.

Ruby 1.8.x is not noted as being affected by this flaw.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-28 22:51:25 UTC
CVE-2012-5371 (
  Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash
  values without properly restricting the ability to trigger hash collisions
  predictably, which allows context-dependent attackers to cause a denial of
  service (CPU consumption) via crafted input to an application that maintains
  a hash table, as demonstrated by a universal multicollision attack against a
  variant of the MurmurHash2 algorithm, a different vulnerability than
Comment 2 Agostino Sarubbo gentoo-dev 2012-11-29 13:13:13 UTC
*** Bug 445200 has been marked as a duplicate of this bug. ***
Comment 3 Sven Schwyn (svoop) 2012-12-29 09:20:42 UTC
Ruby 1.9.3-p362 has just been released - bug fixes only, no additional security patches.
Comment 4 Sven Schwyn (svoop) 2013-02-08 10:23:27 UTC
Ruby 1.9.3-p385 has just been released which includes a security fix.
Comment 5 Hans de Graaff gentoo-dev 2013-02-10 09:15:57 UTC
(In reply to comment #4)
> Ruby 1.9.3-p385 has just been released which includes a security fix.

This version is now in the tree.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-03 21:30:39 UTC
GLSA vote: yes.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-11 01:46:45 UTC
Added to existing request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:23:45 UTC
This issue was resolved and addressed in
 GLSA 201412-27 at
by GLSA coordinator Sean Amoss (ackle).