Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat,  4 Jun 2016 10:54:19 -0400 (EDT)
From: cve-assign@...re.org
To: sebastian@...ping.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: expat hash collision fix too predictable?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Please confirm that using CVE-2012-6702 for consequences of
> "unanticipated internal calls to srand" is what you intended.

Yes, we confirm that. (They are unanticipated both because of
thread-safety concerns, and because it's possible for an application
to have an important dependency on srand being called exactly once.)


> The hash DoS vulnerability CVE-2012-0876 was fixed to some extend in
> Expat 2.1.0, commit e3e81a6d
> ...
> The next release of Expat will not do internal calls to srand (or rand)
> any more but extract and use entropy from other sources.
> ...
> I suppose hash initialization with (too little /) second-based
> entropy still is part of the original CVE-2012-0876 (or the same again).

Use CVE-2016-5300 for the separate issue in which the original choices
of entropy source and RNG did not properly address the possibility of
a successful hash DoS attack. In other words, the code changes (in the
next release) to fix CVE-2016-5300 are needed because the original fix
for CVE-2012-0876 was insufficient. (We use separate CVE IDs when
follow-on work is needed to complete the solution to the same original
vulnerability finding.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXUuskAAoJEHb/MwWLVhi2/BMP/RmK0mqYwmznhALOJw+m24IY
PiLec/ly/1kBu4Ng03fo5YCZuNdM15ZIkHlTnNrkEdFvZpFin/5R8vXEZVjOPJgR
3De4Y/47PWm1v0H0KoOhK1a/zuO8KqL8MUJUlhokMp5SQnbo0u+ANYPVwB2yndmQ
uaoN2zjOx5aWIb9toDeFcNO2WprzsCVZdqwREHhXAmrXAV2NWfyYLvgk2nQ4wkHF
OdME+So20qrl+rq9GsvBV12ecjCk4WBtW1k/l9Tt1Q8BXGIr9iMIWtJjDc3+uXap
Y2DschCUfYd5J/H8GEnsOyRffLpw0cEQNS7+iYfttqJLY08XKfEwTnXdj1kW/Uny
AwkzgB6X//qmeD5+P90A/mI9ovpuc/MmjHTMqgLT+9DF9MRYLDqT8xwQ6yoo26f0
CuHvx83T2mSNfFjjWjBNC0YY7d8h/4Xefd43AdEWiX5MT/aGkL2vJCSqUqiVVFq4
SJQKixQ3C/y0yxqHNCbC9CQqDJYdepFXmIV2LzhWnwNsKtVW4c1xZNlNwsCl02lK
sTneAV4whgioqj66Du+6fFPifKdkx+ezkEBaauAJRySBtzbgj5+vqvbNKyn0BSLM
WCvRSyLL4nBc3hWi7JTq76eGwrYeB+xyst6+YehdR6oJ+NaqTsO8Ec6PKQtqicyg
ktXAm8A5yDPoTcCYOt12
=r9fV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ