804415 – (CVE-2013-1667) VUL-0: CVE-2013-1667: perl: Denial of Service (CPU consumption) via specially-crafted, user-supplied hash keys

Bug 804415 (CVE-2013-1667) - VUL-0: CVE-2013-1667: perl: Denial of Service (CPU consumption) via specially-crafted, user-supplied hash keys

Summary: VUL-0: CVE-2013-1667: perl: Denial of Service (CPU consumption) via specially...

Status:	RESOLVED FIXED

Alias:	CVE-2013-1667

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Deadline:	2013-03-05
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:51461 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-02-19 11:44 UTC by Matthias Weckbecker
Modified:	2015-02-18 22:31 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Weckbecker 2013-02-19 11:44:28 UTC

Via security@. Unknown if already public or not, so be careful please:

--------------------------------------------------------------------------
The following message concerns a hash-related flaw in perl 5, which has been
assigned CVE-2013-1667.  Patches are attached, and all vendors are urged to
apply them.

In order to prevent an algorithmic complexity attack against its hashing
mechanism, perl will sometimes recalculate keys and redistribute the contents
of a hash.  This mechanism has made perl robust against attacks that have
been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code
which can result in pathological behavior.  This flaw could be exploited to
carry out a denial of service attack against code that uses arbitrary user
input as hash keys.

Because using user-provided strings as hash keys is a very common operation,
we urge perl packagers to apply the attached patches as soon as possible.

We will apply these patches to the public perl git repository in two weeks
unless there are new concerns raised.

This issues affects all production versions of perl from 5.8.2 to 5.16.x.
It does not affect the upcoming perl 5.18.

This issue has been assigned the identifier CVE-2013-1667.

For more information on the specifics on this flaw, consult the patch or
contact me.
--------------------------------------------------------------------------

Comment 1 Swamp Workflow Management 2013-02-19 11:45:31 UTC

The SWAMPID for this issue is 51270.
This issue was rated as important.
Please submit fixed packages until 2013-02-26.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 3 Michael Schröder 2013-02-19 12:55:12 UTC

I probably can't do this till 02-26. Please give me a few more days.
(It's just a DoS, after all.)

Comment 11 Marcus Meissner 2013-03-08 17:32:45 UTC

commit f14269908e5f8b4cab4b55643d7dd9de577e7918
Author: Yves Orton <demerphq@gmail.com>
Date:   Tue Feb 12 10:53:05 2013 +0100

    Prevent premature hsplit() calls, and only trigger REHASH after hsplit()

    Triggering a hsplit due to long chain length allows an attacker
    to create a carefully chosen set of keys which can cause the hash
    to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
    exhaustion. Doing so also takes non trivial time.

    Eliminating this check, and only inspecting chain length after a
    normal hsplit() (triggered when keys>buckets) prevents the attack
    entirely, and makes such attacks relatively benign.

    (cherry picked from commit f2a571dae7d70f7e3b59022834d8003ecd2df884)
    (which was itself cherry picked (with changes) from commit
f1220d61455253b170e81427c9d0357831ca0fac)

Comment 12 Swamp Workflow Management 2013-03-12 15:05:22 UTC

Update released for: perl, perl-32bit, perl-base, perl-base-32bit, perl-debuginfo, perl-debugsource, perl-doc
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 13 Swamp Workflow Management 2013-03-12 17:05:35 UTC

Update released for: perl, perl-32bit, perl-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 14 Swamp Workflow Management 2013-03-12 19:12:10 UTC

Update released for: perl, perl-32bit, perl-base, perl-base-32bit, perl-base-x86, perl-debuginfo, perl-debuginfo-32bit, perl-debuginfo-64bit, perl-debuginfo-x86, perl-debugsource, perl-doc, perl-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 15 Swamp Workflow Management 2013-03-12 19:58:10 UTC

Update released for: perl, perl-32bit, perl-64bit, perl-debuginfo, perl-x86
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 16 Marcus Meissner 2013-03-13 10:38:20 UTC

all released.

Comment 17 Swamp Workflow Management 2013-03-13 11:04:54 UTC

Update released for: perl
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

Comment 18 Bernhard Wiedemann 2013-03-15 21:00:27 UTC

This is an autogenerated message for OBS integration:
This bug (804415) was mentioned in
https://build.opensuse.org/request/show/159624 Maintenance /

Comment 19 Bernhard Wiedemann 2013-03-18 07:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (804415) was mentioned in
https://build.opensuse.org/request/show/159756 Evergreen:11.2 / perl

Comment 20 Swamp Workflow Management 2013-03-20 10:05:50 UTC

openSUSE-SU-2013:0497-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 755278,789994,797060,804415
CVE References: CVE-2012-5526,CVE-2012-6329,CVE-2013-1667
Sources used:
openSUSE 12.3 (src):    perl-5.16.2-2.5.1
openSUSE 12.2 (src):    perl-5.16.0-3.5.1
openSUSE 12.1 (src):    perl-5.14.2-9.1

Comment 21 Swamp Workflow Management 2013-03-20 13:04:54 UTC

openSUSE-SU-2013:0502-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 789994,797060,804415
CVE References: CVE-2012-5526,CVE-2012-6329,CVE-2013-1667
Sources used:
openSUSE 11.4 (src):    perl-5.12.3-11.36.1

Comment 22 Bernhard Wiedemann 2013-03-21 07:00:26 UTC

This is an autogenerated message for OBS integration:
This bug (804415) was mentioned in
https://build.opensuse.org/request/show/160382 Evergreen:11.2 / perl