[Python-Dev] Python Remote Code Execution in socket.recvfrom_into()

Nick Coghlan ncoghlan at gmail.com
Tue Feb 25 14:33:27 CET 2014

On 25 Feb 2014 23:09, "Maciej Fijalkowski" <fijall at gmail.com> wrote:
> On Tue, Feb 25, 2014 at 3:06 PM, Chris Angelico <rosuav at gmail.com> wrote:
> > On Tue, Feb 25, 2014 at 11:59 PM, Maciej Fijalkowski <fijall at gmail.com>
> >>> Last issues:
> >>> - hash DoS
> >>
> >> is this fixed?
> >
> > Yes, hash randomization was added as an option in 2.7.3 or 2.7.4 or
> > thereabouts, and is on by default in 3.3+. You do have to set an
> > environment variable for 2.7 (and I think 2.6 got that too (??)), as
> > it can break code.
> No, the hash randomization is broken, it does not provide enough
> randomness (without changing the hash function which only happened in
> 3.4+)

The blind hash collision DOS attack was fixed in all applicable branches.
There was then a second vulnerability in the randomisation that still
allowed a relatively straightforward invocation specific secret recovery
attack against earlier versions that is only fixed with the SipHash change
in 3.4.

You and the other PyPy devs apparently feel that the existence of the
second vulnerability means it isn't worth your while to fix the original
one either. While this mirrors the core team's original position that it
was up to applications and frameworks to deal with the problem, conflating
the two vulnerabilities like that is still just your perspective, not ours
(in addition to all the same measures that limited the impact of the
original issue, there are many measures that specifically mitigate the
latter one, with process recycling being one of the simplest).


> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140225/a7503e6d/attachment.html>

More information about the Python-Dev mailing list