[issue14234] CVE-2012-0876 (hash table collisions CPU usage DoS) for embedded copy of expat

Gregory P. Smith report at bugs.python.org
Wed Mar 14 21:55:36 CET 2012

Gregory P. Smith <greg at krypto.org> added the comment:

false alarm, thats just what happens when PYTHONHASHSEED=0 (I won't be committing the assert, I was just testing behavior).

For what its worth, the xmlparse.c generate_hash_seed() function is pretty poor as far as picking a random number goes as it is time based and it is often easy for an attacker to figure out the time on a process they're injecting data into and thus construct a targeted attack.  It is still better than nothing but it could be better.  I'd leave improving that up to the upstream expat project.

When PYTHONHASHSEED is enabled, pyexpat will never use that function. It does mean we use a constant seed for the life of the process when it is enabled, and revert to the expat behavior of using the expat parser creation time based seed otherwise.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list