Debian Bug report logs - #655044
glib2.0: ghashtable vulnerable to oCert-2011-003 DOS attacks

Package: src:glib2.0; Maintainer for src:glib2.0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: John Lightsey <lightsey@debian.org>

Date: Sun, 8 Jan 2012 01:30:01 UTC

Severity: important

Tags: security

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, lightsey@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#655044; Package src:glib2.0. (Sun, 08 Jan 2012 01:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Lightsey <lightsey@debian.org>:
New Bug report received and forwarded. Copy sent to lightsey@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Sun, 08 Jan 2012 01:30:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: John Lightsey <lightsey@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: glib2.0: ghashtable vulnerable to oCert-2011-003 DOS attacks
Date: Sat, 07 Jan 2012 19:28:54 -0600
Source: glib2.0
Severity: important
Tags: security

The standard hashing functions provided with the ghashtable implementation
in glib are vulnerable to the algorithmic complexity attacks described in
oCert-2011-003

http://www.ocert.org/advisories/ocert-2011-003.html

This was reported upstream in 2003 when Perl fixed their hashing
implementation by introducing a random hash seed. The upstream discussion
is archived here:

http://mail.gnome.org/archives/gtk-devel-list/2003-May/msg00111.html

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#655044; Package src:glib2.0. (Sun, 08 Jan 2012 04:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Sun, 08 Jan 2012 04:39:03 GMT) Full text and rfc822 format available.

Message #10 received at 655044@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: John Lightsey <lightsey@debian.org>, 655044@bugs.debian.org
Subject: Re: Bug#655044: glib2.0: ghashtable vulnerable to oCert-2011-003 DOS attacks
Date: Sun, 08 Jan 2012 05:34:42 +0100
[Message part 1 (text/plain, inline)]
On 08.01.2012 02:28, John Lightsey wrote:
> The standard hashing functions provided with the ghashtable implementation
> in glib are vulnerable to the algorithmic complexity attacks described in
> oCert-2011-003

...

> http://mail.gnome.org/archives/gtk-devel-list/2003-May/msg00111.html

This discussion is from 2003 and had no real conclusion.
Have you checked if the current code base is still vulnerable?


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#655044; Package src:glib2.0. (Sun, 08 Jan 2012 05:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to John Lightsey <lightsey@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Sun, 08 Jan 2012 05:33:03 GMT) Full text and rfc822 format available.

Message #15 received at 655044@bugs.debian.org (full text, mbox):

From: John Lightsey <lightsey@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: 655044@bugs.debian.org
Subject: Re: Bug#655044: glib2.0: ghashtable vulnerable to oCert-2011-003 DOS attacks
Date: Sat, 07 Jan 2012 22:54:07 -0600
On 01/07/2012 10:34 PM, Michael Biebl wrote:
> On 08.01.2012 02:28, John Lightsey wrote:
> This discussion is from 2003 and had no real conclusion.
> Have you checked if the current code base is still vulnerable?

Yes, I looked at their upstream repo and it appears to me that the
standard hashing functions still have this problem.

guint
g_str_hash (gconstpointer v)
{
  const signed char *p;
  guint32 h = 5381;

  for (p = v; *p != '\0'; p++)
    h = (h << 5) + h + *p;

  return h;
}

This is a harder to reverse than the standard "h = h * 33 + *p", but the
collisions are predictable.

The hash functions for int64 and double just truncate the keys.




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 11:22:05 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.