.. _hash-dos:

Hash DoS
========

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2012-1150>`_.

Hash collision denial of service.

Python 2.7 and older and Python 3.2 and older require the ``-R`` command
line option to enable the enable hash function randomization. Randomization
is enabled by default since Python 3.3 (the ``-R`` option is ignored).

"Effective Denial of Service attacks against web application platforms"
talk at the CCC: 2011-12-28

See also the `PEP 456: Secure and interchangeable hash algorithm
<https://www.python.org/dev/peps/pep-0456/>`_: Python 3.4 switched to
`SipHash <https://131002.net/siphash/>`_.

* Ruby: CRuby 1.9 fixed the vulnerability in 2008 with randomized hash
  function; JRuby has also been fixed.
* Perl: Perl 5.8.1 fixed the vulnerability in 2003 using a random
  "PERL_HASH_SEED".

Dates:

* Disclosure date: **2011-12-28** (CCC talk)
* Reported by: Alexander “alech” Klink and Julian “zeri” Wälde

Fixed In
--------

* Python **2.6.8** (2012-04-10) fixed by `commit 1e13eb0 (branch 2.6) <https://github.com/python/cpython/commit/1e13eb084f72d5993cbb726e45b36bdb69c83a24>`_ (2012-02-21)
* Python **2.7.3** (2012-04-09) fixed by `commit 1e13eb0 (branch 2.6) <https://github.com/python/cpython/commit/1e13eb084f72d5993cbb726e45b36bdb69c83a24>`_ (2012-02-21)
* Python **3.1.5** (2012-04-06) fixed by `commit 2daf6ae (branch 2.7) <https://github.com/python/cpython/commit/2daf6ae2495c862adf8bc717bfe9964081ea0b10>`_ (2012-02-20)
* Python **3.2.3** (2012-04-10) fixed by `commit 2daf6ae (branch 2.7) <https://github.com/python/cpython/commit/2daf6ae2495c862adf8bc717bfe9964081ea0b10>`_ (2012-02-20)
* Python **3.3.0** (2012-09-29) fixed by `commit 2daf6ae (branch 2.7) <https://github.com/python/cpython/commit/2daf6ae2495c862adf8bc717bfe9964081ea0b10>`_ (2012-02-20)

Python issue
------------

Hash collision security issue.

* Python issue: `bpo-13703 <https://bugs.python.org/issue13703>`_
* Creation date: 2012-01-03
* Reporter: Barry A. Warsaw

CVE-2012-1150
-------------

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

* CVE ID: `CVE-2012-1150 <https://nvd.nist.gov/vuln/detail/CVE-2012-1150/>`_
* Published: 2012-10-05
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2011-12-28** as reference:

* 2011-12-28: Disclosure date (CCC talk)
* 2012-01-03 (**+6 days**): `Python issue bpo-13703 <https://bugs.python.org/issue13703>`_ reported by Barry A. Warsaw
* 2012-02-20 (**+54 days**): `commit 2daf6ae (branch 2.7) <https://github.com/python/cpython/commit/2daf6ae2495c862adf8bc717bfe9964081ea0b10>`_
* 2012-02-21 (**+55 days**): `commit 1e13eb0 (branch 2.6) <https://github.com/python/cpython/commit/1e13eb084f72d5993cbb726e45b36bdb69c83a24>`_
* 2012-04-06 (**+100 days**): Python 3.1.5 released
* 2012-04-09 (**+103 days**): Python 2.7.3 released
* 2012-04-10 (**+104 days**): Python 2.6.8 released
* 2012-04-10 (**+104 days**): Python 3.2.3 released
* 2012-09-29: Python 3.3.0 released
* 2012-10-05 (**+282 days**): CVE-2012-1150 published

Links
-----

* https://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
* http://www.ocert.org/advisories/ocert-2011-003.html