Bugzilla – Bug 863301
VUL-0: CVE-2013-6401: libjansson: hash table collisions CPU usage DoS
Last modified: 2014-04-01 06:52:54 UTC
Florian Weimer and Eric Sesterhenn reported an issue with Jansson, a C library for encoding, decoding and manipulating JSON data. The problem exists inside the hashing implementation and results in possible prediction of hash collisions. Upstream fixes: https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4 https://github.com/akheron/jansson/commit/42016a35c8907e477be73b0b5d06cc09af231ee4 CVE-2013-6401 was assigned to this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6401 https://bugzilla.redhat.com/show_bug.cgi?id=1035538 https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4 http://comments.gmane.org/gmane.comp.security.oss.general/12099
bugbot adjusting priority
Created attachment 580084 [details] jansson-hashfix.patch Here is a minimalistic patch, which will XOR a seed that is calculated on startup from the usec of the system time. Untested. ;)
makes the attack harder and less generic. an attacker woudl need to probe more and estimate remote efforts...
Jordi, could you test Marcus' jansson-hashfix.patch. It should be sufficient enough to have a minimal randomness inside the hash generation to avoid collisions.
The SWAMPID for this issue is 56600. This issue was rated as moderate. Please submit fixed packages until 2014-03-24. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Affected packages: SLE-11-SP3: libjansson SLE-11-SP2: libjansson SLE-11-SP2-PRODUCTS: libjansson
This is an autogenerated message for OBS integration: This bug (863301) was mentioned in https://build.opensuse.org/request/show/225475 12.3 / libjansson https://build.opensuse.org/request/show/225476 13.1 / libjansson
This is an autogenerated message for OBS integration: This bug (863301) was mentioned in https://build.opensuse.org/request/show/225491 13.1 / libjansson https://build.opensuse.org/request/show/225492 12.3 / libjansson
This is an autogenerated message for OBS integration: This bug (863301) was mentioned in https://build.opensuse.org/request/show/225552 12.3 / libjansson https://build.opensuse.org/request/show/225553 13.1 / libjansson
openSUSE-SU-2014:0394-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 863301 CVE References: CVE-2013-6401 Sources used: openSUSE 13.1 (src): libjansson-2.3.1-7.4.1 openSUSE 12.3 (src): libjansson-2.3.1-5.4.1
released
Update released for: libjansson4 Products: SLE-STUDIOONSITE 1.3 (x86_64)
SUSE-SU-2014:0467-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 863301 CVE References: CVE-2013-6401 Sources used: SUSE Studio Onsite 1.3 (src): libjansson-2.2.1-0.9.10.1