Date: Wed, 12 Feb 2014 00:20:30 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2013-6401 Jansson hash collision issue As reported to the distros mailing list: Hi all, Florian Weimer of the Red Hat Product Security Team found that the hashing implementation in Jansson, a library for encoding, decoding and manipulating JSON data, was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause an application using Jansson to use an excessive amount of CPU time by sending a crafted JSON document containing a large number of parameters whose names map to the same hash value. (CVE-2013-6401) With regards to affected versions, I am guessing only 2.4-2 and 2.4-3 were checked (by Red Hat). Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their extensive work on the patch: https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4 (Feel free to copy the above CVE-2013-6401 description paragraph in any of your bugs or advisories.) Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 (to be opened shortly) Cheers, -- Murray McAllister / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ