From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id q178YIhf024928 for ; Tue, 7 Feb 2012 09:34:18 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAGPhME9QRFuw/2dsb2JhbABEr0uBBYFyAQEFOjQbCxgcEhQoiDMGugKLJgoLAgIJBQwHBgEqEwIIgnIZBHwKETyCOmMElSuSXg X-IronPort-AV: E=Sophos;i="4.73,376,1325458800"; d="scan'208";a="143157776" Received: from furbychan.cocan.org ([80.68.91.176]) by mail1-smtp-roc.national.inria.fr with ESMTP/TLS/AES256-SHA; 07 Feb 2012 09:34:13 +0100 Received: from rich by furbychan.cocan.org with local (Exim 4.72) (envelope-from ) id 1RugVA-0000ev-3h for caml-list@inria.fr; Tue, 07 Feb 2012 08:34:12 +0000 Date: Tue, 7 Feb 2012 08:34:12 +0000 From: "Richard W.M. Jones" To: caml-list@inria.fr Message-ID: <20120207083412.GA30350@annexia.org> References: <4F3078F1.8070105@redhat.com> <4F3079F7.4040606@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4F3079F7.4040606@redhat.com> User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: [Caml-list] Re: [oss-security] CVE request: Hash DoS vulnerability (ocert-2011-003) On Mon, Feb 06, 2012 at 06:10:15PM -0700, Kurt Seifried wrote: > On 02/06/2012 06:05 PM, Kurt Seifried wrote: > > So going through various things looks like Ocaml is vulnerable and has > > not had a CVE # assigned for this issue yet. > > > > Discussion of the issue takes place on the mailing list, here is a link > > for the originating thread: > > > >cc > > > > There doesn't appear to be a fix yet. > > > > > > Please use CVE-2012-0839 for this issue. Red Hat BZ: https://bugzilla.redhat.com/show_bug.cgi?id=787888 Rather than changing every app that uses Hashtbl, I'd prefer to fix this upstream by choosing a random seed for hash tables unless the caller explicitly sets one or sets an environment variable to disable this. In Perl, the seed is a random number chosen when the Perl interpreter starts up. This is low overhead, but still leaves a (much more theoretical) attack where someone can determine the seed from a long-running process using some other method and still attack the hash table. In Python there is an environment variable you can set to disable randomized hash tables. Further Python discussion here: http://bugs.python.org/issue13703 http://mail.python.org/pipermail/python-dev/2012-January/thread.html#115465 Rich. -- Richard Jones Red Hat