Date: Sat, 4 Jun 2016 17:24:40 +0200 From: Sebastian Pipping <sebastian@...ping.org> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: expat hash collision fix too predictable? On 04.06.2016 16:54, cve-assign@...re.org wrote: >> Please confirm that using CVE-2012-6702 for consequences of >> "unanticipated internal calls to srand" is what you intended. > > Yes, we confirm that. (They are unanticipated both because of > thread-safety concerns, and because it's possible for an application > to have an important dependency on srand being called exactly once.) > > >> The hash DoS vulnerability CVE-2012-0876 was fixed to some extend in >> Expat 2.1.0, commit e3e81a6d >> ... >> The next release of Expat will not do internal calls to srand (or rand) >> any more but extract and use entropy from other sources. >> ... >> I suppose hash initialization with (too little /) second-based >> entropy still is part of the original CVE-2012-0876 (or the same again). > > Use CVE-2016-5300 for the separate issue in which the original choices > of entropy source and RNG did not properly address the possibility of > a successful hash DoS attack. In other words, the code changes (in the > next release) to fix CVE-2016-5300 are needed because the original fix > for CVE-2012-0876 was insufficient. (We use separate CVE IDs when > follow-on work is needed to complete the solution to the same original > vulnerability finding.) Excellent, thank you! https://sourceforge.net/p/expat/code_git/ci/07cc2fcacf81b32b2e06aa918df51756525240c0/ Best Sebastian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ