LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

ruby: denial of service

Package(s):ruby CVE #(s):CVE-2012-5371
Created:November 19, 2012 Updated:December 7, 2012
Description: From the Red Hat bugzilla:

Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x and the 2.0.0 preview [1].

As noted in the upstream report:

Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity.

This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4.

Ruby 1.8.x is not noted as being affected by this flaw.

Alerts:
Fedora FEDORA-2012-18017 2012-11-19
Slackware SSA:2012-341-04 2012-12-06
Ubuntu USN-1733-1 2013-02-21
Red Hat RHSA-2013:0582-01 2013-02-28
openSUSE openSUSE-SU-2013:0376-1 2013-03-01
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds