Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 12 Feb 2014 00:29:50 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2013-6401 Jansson hash collision issue

On 02/12/2014 12:20 AM, Murray McAllister wrote:
> As reported to the distros mailing list:
> 
> Hi all,
> 
> Florian Weimer of the Red Hat Product Security Team found that the
> hashing implementation in Jansson, a library for encoding, decoding and
> manipulating JSON data, was susceptible to predictable hash collisions.
> A remote attacker could use this flaw to cause an application using
> Jansson to use an excessive amount of CPU time by sending a crafted JSON
> document containing a large number of parameters whose names map to the
> same hash value. (CVE-2013-6401)
> 
> With regards to affected versions, I am guessing only 2.4-2 and 2.4-3
> were checked (by Red Hat).
> 
> Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their
> extensive work on the patch:
> 
> https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4
> 
> (Feel free to copy the above CVE-2013-6401 description paragraph in any
> of your bugs or advisories.)
> 
> Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 (to be
> opened shortly)
> 
> Cheers,
> 
> --
> Murray McAllister / Red Hat Security Response Team
> 

This commit is also needed:

https://github.com/akheron/jansson/commit/42016a35c8907e477be73b0b5d06cc09af231ee4

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ