Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 396399 (CVE-2012-5372) - dev-lang/rubinius: Hash collision DoS (CVE-2012-5372)
Summary: dev-lang/rubinius: Hash collision DoS (CVE-2012-5372)
Status: RESOLVED FIXED
Alias: CVE-2012-5372
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: http://www.ocert.org/advisories/ocert...
Whiteboard: ~3 [noglsa]
Keywords:
: 445342 (view as bug list)
Depends on:
Blocks: hashDoS
  Show dependency tree
 
Reported: 2011-12-29 10:20 UTC by Alex Legler (RETIRED)
Modified: 2015-11-09 22:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-29 10:20:30 UTC
Specially crafted POST parameters can be used to cause hash table operations
with a time complexity of O(n^2), causing a Denial of Service.

As per $URL, Rubinius is affected. There is no CVE assigned yet for this flaw in Rubinius.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-04 20:56:45 UTC
Patch available at https://github.com/rubinius/rubinius/commit/a9a40fc6a1256bcf6382631b710430105c5dd868 but it looks like it adds a dependency in the process.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2015-07-02 09:30:48 UTC
*** Bug 445342 has been marked as a duplicate of this bug. ***
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2015-07-02 09:31:09 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2012-5372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5372):
>   Rubinius computes hash values without properly restricting the ability to
>   trigger hash collisions predictably, which allows context-dependent
>   attackers to cause a denial of service (CPU consumption) via crafted input
>   to an application that maintains a hash table, as demonstrated by a
>   universal multicollision attack against the MurmurHash3 algorithm.
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2015-07-02 09:35:01 UTC
Vulnerable ebuilds have been removed. Package was never put into stable.

GLSA coordinators: Please resolve this bug.