Re: CVE-2013-1667: important rehashing flaw
On Wed, Mar 13, 2013 at 11:52:59AM +, Dave Mitchell wrote: > On Wed, Mar 13, 2013 at 09:50:56AM +, Chisel wrote: > > I've just stumbled across http://www.cpan.org/src/README.html which says: > > > > Latest releases in each branch of Perl > > > > Major Version Type Released Download > > 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz > > 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz > > 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz > > > > > > To me it looks odd having the RC2 there ... should that be dropped > > until there is (another) release candidate? > > Presumably its counting 5.14.4-RC2 as the most recent development release, > and when 5.17.10 is released this will be updated? If that is the case, it would still be good to fix/change it. As I suspect that this situation will occur again, and what it presents to the end user is not the right answer. RCs are immediately obsolete if there is a real release. (or a newer RC) And therefore should no longer be mentioned. (ie a more "correct" algorithm would be to discard all obsolete releases, and then show the most recent non-obsolete development release. However, at the point that 5.18.0 is released, there will be a few days for which there is *no* current development release, as 5.18.0 will obsolete 5.17.everything) Nicholas Clark
Re: CVE-2013-1667: important rehashing flaw
On Wed, Mar 13, 2013 at 09:50:56AM +, Chisel wrote: > I've just stumbled across http://www.cpan.org/src/README.html which says: > > Latest releases in each branch of Perl > > Major Version Type Released Download > 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz > 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz > 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz > > > To me it looks odd having the RC2 there ... should that be dropped > until there is (another) release candidate? Presumably its counting 5.14.4-RC2 as the most recent development release, and when 5.17.10 is released this will be updated? -- The Enterprise's efficient long-range scanners detect a temporal vortex distortion in good time, allowing it to be safely avoided via a minor course correction. -- Things That Never Happen in "Star Trek" #21
Re: CVE-2013-1667: important rehashing flaw
On Tue, Mar 12, 2013 at 8:58 AM, Leo Lapworth wrote: > All updated now Thanks for doing this makes my prep-work much easier at $work. I've just stumbled across http://www.cpan.org/src/README.html which says: Latest releases in each branch of Perl Major Version Type Released Download 5.14 5.14.4 Devel 2013-03-07 perl-5.14.4-RC2.tar.gz 5.16 5.16.3 Maint 2013-03-11 perl-5.16.3.tar.gz 5.14 5.14.4 Maint 2013-03-10 perl-5.14.4.tar.gz To me it looks odd having the RC2 there ... should that be dropped until there is (another) release candidate? -- Chisel e: chi...@chizography.net w: http://chizography.net
Re: CVE-2013-1667: important rehashing flaw
All updated now Leo On 12 March 2013 04:52, Toby Wintermute wrote: > I note that while 5.16.3 is visible on CPAN, no-one seems to have > updated perl.org yet - it still offers 5.16.2 as the latest release > for download. > > On 5 March 2013 02:26, Nicholas Clark wrote: >> Technically this is off topic: >> >> - Forwarded message from Ricardo Signes - >> >> Date: Mon, 4 Mar 2013 10:20:11 -0500 >> From: Ricardo Signes >> To: perl5-port...@perl.org >> Subject: CVE-2013-1667: important rehashing flaw >> User-Agent: Mutt/1.5.21 (2010-09-15) >> >> >> The following message concerns a hash-related flaw in perl 5, which has been >> assigned CVE-2013-1667. >> >> In order to prevent an algorithmic complexity attack against its hashing >> mechanism, perl will sometimes recalculate keys and redistribute the contents >> of a hash. This mechanism has made perl robust against attacks that have >> been demonstrated against other systems. >> >> Research by Yves Orton has recently uncovered a flaw in the rehashing code >> which can result in pathological behavior. This flaw could be exploited to >> carry out a denial of service attack against code that uses arbitrary user >> input as hash keys. >> >> Because using user-provided strings as hash keys is a very common operation, >> we >> urge users of perl to update their perl executable as soon as possible. >> Updates to address this issue have bene pushed to main-5.8, maint-5.10, >> maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were >> informed >> of this problem two weeks ago and are expected to be shipping updates today >> (or >> otherwise very soon). >> >> bleadperl is not affected. >> >> This issues affects all production versions of perl from 5.8.2 to 5.16.x. It >> does not affect the upcoming perl 5.18. >> >> This issue has been assigned the identifier CVE-2013-1667. >> >> In the next few weeks, expect to see a more detailed post from researcher >> Yves >> Orton or me. >> >> -- >> rjbs >> >> >> >> - End forwarded message - >> >> >> You will be wanting to be sure that this one is patched, either by your >> vendor, or locally if you maintain your own build. The fix is under 40 lines, >> most of which is *deleting* code and comments. >> >> If you know how to attack it, the results are pretty ugly, and pretty much >> impossible to mitigate in user code. Right now, we don't think that anyone >> *else* knows how to do it. You're only safe from DOS as long as this remains >> the case. >> >> Nicholas Clark > > > > -- > Turning and turning in the widening gyre > The falcon cannot hear the falconer > Things fall apart; the center cannot hold > Mere anarchy is loosed upon the world
Re: CVE-2013-1667: important rehashing flaw
I note that while 5.16.3 is visible on CPAN, no-one seems to have updated perl.org yet - it still offers 5.16.2 as the latest release for download. On 5 March 2013 02:26, Nicholas Clark wrote: > Technically this is off topic: > > - Forwarded message from Ricardo Signes - > > Date: Mon, 4 Mar 2013 10:20:11 -0500 > From: Ricardo Signes > To: perl5-port...@perl.org > Subject: CVE-2013-1667: important rehashing flaw > User-Agent: Mutt/1.5.21 (2010-09-15) > > > The following message concerns a hash-related flaw in perl 5, which has been > assigned CVE-2013-1667. > > In order to prevent an algorithmic complexity attack against its hashing > mechanism, perl will sometimes recalculate keys and redistribute the contents > of a hash. This mechanism has made perl robust against attacks that have > been demonstrated against other systems. > > Research by Yves Orton has recently uncovered a flaw in the rehashing code > which can result in pathological behavior. This flaw could be exploited to > carry out a denial of service attack against code that uses arbitrary user > input as hash keys. > > Because using user-provided strings as hash keys is a very common operation, > we > urge users of perl to update their perl executable as soon as possible. > Updates to address this issue have bene pushed to main-5.8, maint-5.10, > maint-5.12, maint-5.14, and maint-5.16 branches today. Vendors* were informed > of this problem two weeks ago and are expected to be shipping updates today > (or > otherwise very soon). > > bleadperl is not affected. > > This issues affects all production versions of perl from 5.8.2 to 5.16.x. It > does not affect the upcoming perl 5.18. > > This issue has been assigned the identifier CVE-2013-1667. > > In the next few weeks, expect to see a more detailed post from researcher Yves > Orton or me. > > -- > rjbs > > > > - End forwarded message - > > > You will be wanting to be sure that this one is patched, either by your > vendor, or locally if you maintain your own build. The fix is under 40 lines, > most of which is *deleting* code and comments. > > If you know how to attack it, the results are pretty ugly, and pretty much > impossible to mitigate in user code. Right now, we don't think that anyone > *else* knows how to do it. You're only safe from DOS as long as this remains > the case. > > Nicholas Clark -- Turning and turning in the widening gyre The falcon cannot hear the falconer Things fall apart; the center cannot hold Mere anarchy is loosed upon the world