You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Original bug ID: 5572 Reporter:@xavierleroy Assigned to:@xavierleroy Status: closed (set by @xavierleroy on 2013-08-31T10:49:03Z) Resolution: fixed Priority: normal Severity: major Version: 3.12.1 Target version: 4.00.0+dev Fixed in version: 4.00.0+dev Category: standard library Monitored by:@glondu
Bug description
This PR is intended to document vulnerability CVE-2012-0839 and its resolution.
Summary: up to OCaml 3.12.1 included, hash tables as implemented by the Hashtbl stdlib module use a fixed hash function. This opens the way to a denial-of-service attack on Web-facing and other security-sensitive applications, whereas the attacker sends a series of requests crafted to cause many collisions in a hash table and therefore slow down the application.
The new hash table implementation (commit r11056), integrated in SVN trunk and in 4.00 branch, already supports diversification of hash tables via a randomly-chosen seed. However, the API doesn't make it easy enough to turn randomization on. I am currently revising the API.
Fixed in 4.00 branch (commit 12383) and in trunk (12384).
For the record, the resolution is as follows:
Added an optional parameter "~random" to Hashtbl.create. If "~random:true" is given, the table uses a randomly-generated seed to diversify the hash function and make collisions hard to predict. If "~random:false" is given, the table uses a fixed hash function.
If no ~random parameter is given, the default is "false" (no randomization). This default can be changed to "true" by either calling "Hashtbl.randomize()" at program initialization time, or setting the "R" parameter in the OCAMLRUNPARAM environment variable before program start-up.
The net effect is to keep hash tables deterministic by default (for backward compatibility), but make it very easy to select randomization, either programmatically or via a run-time parameter.
Original bug ID: 5572
Reporter: @xavierleroy
Assigned to: @xavierleroy
Status: closed (set by @xavierleroy on 2013-08-31T10:49:03Z)
Resolution: fixed
Priority: normal
Severity: major
Version: 3.12.1
Target version: 4.00.0+dev
Fixed in version: 4.00.0+dev
Category: standard library
Monitored by: @glondu
Bug description
This PR is intended to document vulnerability CVE-2012-0839 and its resolution.
Summary: up to OCaml 3.12.1 included, hash tables as implemented by the Hashtbl stdlib module use a fixed hash function. This opens the way to a denial-of-service attack on Web-facing and other security-sensitive applications, whereas the attacker sends a series of requests crafted to cause many collisions in a hash table and therefore slow down the application.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0839
https://bugzilla.redhat.com/show_bug.cgi?id=787888
https://bugzilla.redhat.com/show_bug.cgi?id=770929
The text was updated successfully, but these errors were encountered: