Forwarded for Kurt, as he's not subscribed. -------- Original Message -------- Subject: Re: Hash collision vectors in APR? Date: Thu, 23 Feb 2012 18:32:30 -0700 From: Kurt Seifried <kseifr...@redhat.com> To: William A. Rowe Jr. <wr...@rowe-clan.net> CC: APR Developer List <dev@apr.apache.org>, Stefan Fritsch <s...@sfritsch.de>, "Steven M. Christey" <co...@linus.mitre.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apologies for the delayed reply. CC'ing Steve since I can't actually remove or edit CVE's, just assign them. On 02/22/2012 09:49 AM, William A. Rowe Jr. wrote: > After extensive consultation with the security projects of various > APR consumers, it's apparent that there are no actual > vulnerabilities to be exploited here. Contrary to Mr Seifreid's > confusion, the recent code changes reflect a possibility of > mitigating potential hash collisions, but certainly do not and can > not eliminate such risks, and it is up to the developer to select > appropriate storage and lookup mechansims for their specific > problem domain. > > These changes do not represent either a security DEFECT nor any > actual security FIX. The APR Project dis-acknowledges the > assignment of CVE-2012-0840 as erroneous, and invalid. Kurt, since > you created the defect, please edit it appropriately. > secur...@apache.org is always happy to consult in order to avoid > future errors and misinformation. > > Stefan, please revert your miscommit. In the future, please run > such things past secur...@apache.org before applying inaccurate > external assignments. So as I now understand it APR doesn't expose itself in an exploitable manner, ergo the hash function, while technically vulnerable, cannot really be exploited in any current way, is this correct? Does this also take into account future changes/uses that may expose it potentially (or is that just not possible)? If you can confirm this then I guess the ball is in Steve's court (I'm also not sure how the CVE rules/etc. apply in this specific instance). - -- Kurt Seifried Red Hat Security Response Team (SRT) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPRuiqAAoJEBYNRVNeJnmTAgIQAMX99REZXiwSh1mFX4foYjss eBy2kz1ijFtFV2rH36F2eqeEPWFo82MrLDjGDH6j1zxrKiaUnziJ8pbKm/zcpF/G ub3FS+8lzKQ3fxI/gJAPSRCoMZwx98PI8u6YEV96WU0m6UTxNQTGcRphUhVLMRze gFLg6aOTW7kSoWZSbexQ9M8MmXR0E0HWQL2uzxLnZUi+s5AYbIV7WntEw9iQEfNr uGromu2UYkjZVzjU2o54K/3bWUUmuAHBzVpYj91pGvRZPHDclBOBiQgtg3TNceRZ LQ6vU2NWuciqr/0Hz41MHB70zp/zIHLr1xbuFgXX7lOVIVGEszY79BXS5iXNpvRi MZvygEmfWmSQ/hxJPN6yjD0aXUd7+WpnUzVbOZlAX3sB3N02TrfLzDXnugQd06Lu G8/OPq+Gi5UISDjST/DX63ke+tV5q7lk2oswuhq8ITeQ+4fuDggEklO4jgdqCH7C XBxe/Z6023mPqei3Ot0Bx/IrbJlXLyWMnbE2efjjb+mAg6yC8tjp93QBRJNkQ/4n 2YvTvIHS+frVkCWfKl4Y7NFwADb6EKWXfdMPd43kufDcogtbWok19/rZ+JercM4K oCk7VnIZ2qwHUUU7KCBtXUxA+rW5qXoqgbXOzmrTMkmBfhYY7UJ+kiYEVobkRJO3 SGUF5xhBbZnkD4bQSTSi =0OpC -----END PGP SIGNATURE-----
