Date: Wed, 12 Feb 2014 00:29:50 +1100 From: Murray McAllister <mmcallis@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2013-6401 Jansson hash collision issue On 02/12/2014 12:20 AM, Murray McAllister wrote: > As reported to the distros mailing list: > > Hi all, > > Florian Weimer of the Red Hat Product Security Team found that the > hashing implementation in Jansson, a library for encoding, decoding and > manipulating JSON data, was susceptible to predictable hash collisions. > A remote attacker could use this flaw to cause an application using > Jansson to use an excessive amount of CPU time by sending a crafted JSON > document containing a large number of parameters whose names map to the > same hash value. (CVE-2013-6401) > > With regards to affected versions, I am guessing only 2.4-2 and 2.4-3 > were checked (by Red Hat). > > Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their > extensive work on the patch: > > https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4 > > (Feel free to copy the above CVE-2013-6401 description paragraph in any > of your bugs or advisories.) > > Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 (to be > opened shortly) > > Cheers, > > -- > Murray McAllister / Red Hat Security Response Team > This commit is also needed: https://github.com/akheron/jansson/commit/42016a35c8907e477be73b0b5d06cc09af231ee4
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ