CVE-2012-1150: Hash DoS

Hash collision denial of service.

Python 2.6 and 2.7 require the -R command line option to enable the fix.

“Effective Denial of Service attacks against web application platforms” talk at the CCC: 2011-12-28

See also the PEP 456: Secure and interchangeable hash algorithm: Python 3.4 switched to SipHash.

  • Disclosure date: 2011-12-28 (CCC talk)
  • Reported by: Alexander “alech” Klink and Julian “zeri” Wälde

Fixed In

Python issue

Hash collision security issue.

  • Python issue: issue #13703
  • Creation date: 2012-01-03
  • Reporter: Barry A. Warsaw

CVE-2012-1150

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Timeline

Timeline using the disclosure date 2011-12-28 as reference:

  • 2011-12-28: Disclosure date (CCC talk)
  • 2012-01-03 (+6 days): Python issue #13703 reported by Barry A. Warsaw
  • 2012-02-20 (+54 days): commit 2daf6ae
  • 2012-02-21 (+55 days): commit 1e13eb0
  • 2012-04-08 (+102 days): Python 3.1.5 released
  • 2012-04-09 (+103 days): Python 2.7.3 released
  • 2012-04-10 (+104 days): Python 2.6.8 released
  • 2012-04-10 (+104 days): Python 3.2.3 released
  • 2012-09-29: Python 3.3.0 released
  • 2012-10-05 (+282 days): CVE-2012-1150 published