Re: CVE-2013-1667: important rehashing flaw
On Tue, Mar 12, 2013 at 8:58 AM, Leo Lapworth l...@cuckoo.org wrote: All updated now Thanks for doing this makes my prep-work much easier at $work. I've just stumbled across http://www.cpan.org/src/README.html which says: Latest releases in each branch of Perl Major Version Type Released Download 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz To me it looks odd having the RC2 there ... should that be dropped until there is (another) release candidate? -- Chisel e: chi...@chizography.net w: http://chizography.net
Re: CVE-2013-1667: important rehashing flaw
On Wed, Mar 13, 2013 at 09:50:56AM +, Chisel wrote: I've just stumbled across http://www.cpan.org/src/README.html which says: Latest releases in each branch of Perl Major Version Type Released Download 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz To me it looks odd having the RC2 there ... should that be dropped until there is (another) release candidate? Presumably its counting 5.14.4-RC2 as the most recent development release, and when 5.17.10 is released this will be updated? -- The Enterprise's efficient long-range scanners detect a temporal vortex distortion in good time, allowing it to be safely avoided via a minor course correction. -- Things That Never Happen in Star Trek #21
Re: CVE-2013-1667: important rehashing flaw
On Wed, Mar 13, 2013 at 11:52:59AM +, Dave Mitchell wrote: On Wed, Mar 13, 2013 at 09:50:56AM +, Chisel wrote: I've just stumbled across http://www.cpan.org/src/README.html which says: Latest releases in each branch of Perl Major Version Type Released Download 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz To me it looks odd having the RC2 there ... should that be dropped until there is (another) release candidate? Presumably its counting 5.14.4-RC2 as the most recent development release, and when 5.17.10 is released this will be updated? If that is the case, it would still be good to fix/change it. As I suspect that this situation will occur again, and what it presents to the end user is not the right answer. RCs are immediately obsolete if there is a real release. (or a newer RC) And therefore should no longer be mentioned. (ie a more correct algorithm would be to discard all obsolete releases, and then show the most recent non-obsolete development release. However, at the point that 5.18.0 is released, there will be a few days for which there is *no* current development release, as 5.18.0 will obsolete 5.17.everything) Nicholas Clark
Re: CVE-2013-1667: important rehashing flaw
All updated now Leo On 12 March 2013 04:52, Toby Wintermute t...@wintrmute.net wrote: I note that while 5.16.3 is visible on CPAN, no-one seems to have updated perl.org yet - it still offers 5.16.2 as the latest release for download. On 5 March 2013 02:26, Nicholas Clark n...@ccl4.org wrote: Technically this is off topic: - Forwarded message from Ricardo Signes perl@rjbs.manxome.org - Date: Mon, 4 Mar 2013 10:20:11 -0500 From: Ricardo Signes perl@rjbs.manxome.org To: perl5-port...@perl.org Subject: CVE-2013-1667: important rehashing flaw User-Agent: Mutt/1.5.21 (2010-09-15) The following message concerns a hash-related flaw in perl 5, which has been assigned CVE-2013-1667. In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible. Updates to address this issue have bene pushed to main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon). bleadperl is not affected. This issues affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18. This issue has been assigned the identifier CVE-2013-1667. In the next few weeks, expect to see a more detailed post from researcher Yves Orton or me. -- rjbs - End forwarded message - You will be wanting to be sure that this one is patched, either by your vendor, or locally if you maintain your own build. The fix is under 40 lines, most of which is *deleting* code and comments. If you know how to attack it, the results are pretty ugly, and pretty much impossible to mitigate in user code. Right now, we don't think that anyone *else* knows how to do it. You're only safe from DOS as long as this remains the case. Nicholas Clark -- Turning and turning in the widening gyre The falcon cannot hear the falconer Things fall apart; the center cannot hold Mere anarchy is loosed upon the world
Re: CVE-2013-1667: important rehashing flaw
I note that while 5.16.3 is visible on CPAN, no-one seems to have updated perl.org yet - it still offers 5.16.2 as the latest release for download. On 5 March 2013 02:26, Nicholas Clark n...@ccl4.org wrote: Technically this is off topic: - Forwarded message from Ricardo Signes perl@rjbs.manxome.org - Date: Mon, 4 Mar 2013 10:20:11 -0500 From: Ricardo Signes perl@rjbs.manxome.org To: perl5-port...@perl.org Subject: CVE-2013-1667: important rehashing flaw User-Agent: Mutt/1.5.21 (2010-09-15) The following message concerns a hash-related flaw in perl 5, which has been assigned CVE-2013-1667. In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible. Updates to address this issue have bene pushed to main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon). bleadperl is not affected. This issues affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18. This issue has been assigned the identifier CVE-2013-1667. In the next few weeks, expect to see a more detailed post from researcher Yves Orton or me. -- rjbs - End forwarded message - You will be wanting to be sure that this one is patched, either by your vendor, or locally if you maintain your own build. The fix is under 40 lines, most of which is *deleting* code and comments. If you know how to attack it, the results are pretty ugly, and pretty much impossible to mitigate in user code. Right now, we don't think that anyone *else* knows how to do it. You're only safe from DOS as long as this remains the case. Nicholas Clark -- Turning and turning in the widening gyre The falcon cannot hear the falconer Things fall apart; the center cannot hold Mere anarchy is loosed upon the world
CVE-2013-1667: important rehashing flaw
Technically this is off topic: - Forwarded message from Ricardo Signes perl@rjbs.manxome.org - Date: Mon, 4 Mar 2013 10:20:11 -0500 From: Ricardo Signes perl@rjbs.manxome.org To: perl5-port...@perl.org Subject: CVE-2013-1667: important rehashing flaw User-Agent: Mutt/1.5.21 (2010-09-15) The following message concerns a hash-related flaw in perl 5, which has been assigned CVE-2013-1667. In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash. This mechanism has made perl robust against attacks that have been demonstrated against other systems. Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior. This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys. Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible. Updates to address this issue have bene pushed to main-5.8, maint-5.10, maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon). bleadperl is not affected. This issues affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18. This issue has been assigned the identifier CVE-2013-1667. In the next few weeks, expect to see a more detailed post from researcher Yves Orton or me. -- rjbs - End forwarded message - You will be wanting to be sure that this one is patched, either by your vendor, or locally if you maintain your own build. The fix is under 40 lines, most of which is *deleting* code and comments. If you know how to attack it, the results are pretty ugly, and pretty much impossible to mitigate in user code. Right now, we don't think that anyone *else* knows how to do it. You're only safe from DOS as long as this remains the case. Nicholas Clark