Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Feb 2014 00:20:30 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2013-6401 Jansson hash collision issue

As reported to the distros mailing list:

Hi all,

Florian Weimer of the Red Hat Product Security Team found that the
hashing implementation in Jansson, a library for encoding, decoding and
manipulating JSON data, was susceptible to predictable hash collisions.
A remote attacker could use this flaw to cause an application using
Jansson to use an excessive amount of CPU time by sending a crafted JSON
document containing a large number of parameters whose names map to the
same hash value. (CVE-2013-6401)

With regards to affected versions, I am guessing only 2.4-2 and 2.4-3
were checked (by Red Hat).

Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their
extensive work on the patch:

https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4

(Feel free to copy the above CVE-2013-6401 description paragraph in any
of your bugs or advisories.)

Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 (to be
opened shortly)

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ