[New-bugs-announce] [issue14234] CVE-2012-0876 (hash table collisions CPU usage DoS) for embedded copy of expat
Dave Malcolm
report at bugs.python.org
Fri Mar 9 01:56:31 CET 2012
New submission from Dave Malcolm <dmalcolm at redhat.com>:
Expat 2.1.0 Beta was recently announced:
http://mail.libexpat.org/pipermail/expat-discuss/2012-March/002768.html
which contains (among other things) a fix for a hash-collision denial-of-service attack (CVE-2012-0876)
I'm attaching a patch which minimally backports the hash-collision fix part of expat 2.1.0 to the embedded copy of expat in the CPython source tree, and which adds a call to XML_SetHashSalt() to pyexpat when creating parsers. It reuses part of the hash secret from Py_HashSecret.
----------
components: XML
files: expat-hash-randomization.patch
keywords: patch
messages: 155198
nosy: dmalcolm
priority: normal
severity: normal
status: open
title: CVE-2012-0876 (hash table collisions CPU usage DoS) for embedded copy of expat
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file24762/expat-hash-randomization.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14234>
_______________________________________
More information about the New-bugs-announce
mailing list