[issue13703] Hash collision security issue

Glenn Linderman report at bugs.python.org
Sun Jan 8 01:33:00 CET 2012

Glenn Linderman <v+python at g.nevcal.com> added the comment:

Alex, I agree the issue has to do with the origin of the data, but the modules listed are the ones that deal with the data supplied by this particular attack.

Note that changing the hash algorithm for a persistent process, even though each process may have a different seed or randomized source, allows attacks for the life of that process, if an attack vector can be created during its lifetime. This is not a problem for systems where each request is handled by a different process, but is a problem for systems where processes are long-running and handle many requests.

Regarding vulnerable user code, supplying SafeDict (or something similar) in the stdlib or as sample code for use in such cases allows user code to be fixed also.

You have entered the class of people that claim lots of vulnerabilities, without enumeration.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list