Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442580 (CVE-2012-5371) - <dev-lang/ruby-1.9.3_p392: hash-flooding DoS (CVE-2012-5371)
Summary: <dev-lang/ruby-1.9.3_p392: hash-flooding DoS (CVE-2012-5371)
Status: RESOLVED FIXED
Alias: CVE-2012-5371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: 445200 (view as bug list)
Depends on: CVE-2013-0269
Blocks:
  Show dependency tree
 
Reported: 2012-11-10 10:14 UTC by Agostino Sarubbo
Modified: 2014-12-13 19:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-10 10:14:17 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=875236 :

Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x 
and the 2.0.0 preview [1].

As noted in the upstream report:

Carefully crafted sequence of strings can cause a denial of service attack on the service that 
parses the sequence to create a Hash object by using the strings as keys. For instance, this 
vulnerability affects web application that parses the JSON data sent from untrusted entity.

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using 
modified MurmurHash function but it's reported that there is a way to create sequence of strings 
that collide their hash values each other. This fix changes the Hash function of String object from 
the MurmurHash to SipHash 2-4.

Ruby 1.8.x is not noted as being affected by this flaw.

[1] http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-28 22:51:25 UTC
CVE-2012-5371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5371):
  Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash
  values without properly restricting the ability to trigger hash collisions
  predictably, which allows context-dependent attackers to cause a denial of
  service (CPU consumption) via crafted input to an application that maintains
  a hash table, as demonstrated by a universal multicollision attack against a
  variant of the MurmurHash2 algorithm, a different vulnerability than
  CVE-2011-4815.
Comment 2 Agostino Sarubbo gentoo-dev 2012-11-29 13:13:13 UTC
*** Bug 445200 has been marked as a duplicate of this bug. ***
Comment 3 Sven Schwyn (svoop) 2012-12-29 09:20:42 UTC
Ruby 1.9.3-p362 has just been released - bug fixes only, no additional security patches.

http://www.ruby-lang.org/en/news/2012/12/25/ruby-1-9-3-p362-is-released/
Comment 4 Sven Schwyn (svoop) 2013-02-08 10:23:27 UTC
Ruby 1.9.3-p385 has just been released which includes a security fix.

http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/
Comment 5 Hans de Graaff gentoo-dev Security 2013-02-10 09:15:57 UTC
(In reply to comment #4)
> Ruby 1.9.3-p385 has just been released which includes a security fix.
> 
> http://www.ruby-lang.org/en/news/2013/02/06/ruby-1-9-3-p385-is-released/

This version is now in the tree.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-03 21:30:39 UTC
GLSA vote: yes.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-11 01:46:45 UTC
Added to existing request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:23:45 UTC
This issue was resolved and addressed in
 GLSA 201412-27 at http://security.gentoo.org/glsa/glsa-201412-27.xml
by GLSA coordinator Sean Amoss (ackle).