apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Fwd: Re: Hash collision vectors in APR?
Date Fri, 24 Feb 2012 02:27:55 GMT
Forwarded for Kurt, as he's not subscribed.

-------- Original Message --------
Subject: Re: Hash collision vectors in APR?
Date: Thu, 23 Feb 2012 18:32:30 -0700
From: Kurt Seifried <kseifried@redhat.com>
To: William A. Rowe Jr. <wrowe@rowe-clan.net>
CC: APR Developer List <dev@apr.apache.org>, Stefan Fritsch <sf@sfritsch.de>,
"Steven M. Christey" <coley@linus.mitre.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies for the delayed reply.

CC'ing Steve since I can't actually remove or edit CVE's, just assign
them.

On 02/22/2012 09:49 AM, William A. Rowe Jr. wrote:
> After extensive consultation with the security projects of various
> APR consumers, it's apparent that there are no actual
> vulnerabilities to be exploited here.  Contrary to Mr Seifreid's
> confusion, the recent code changes reflect a possibility of
> mitigating potential hash collisions, but certainly do not and can
> not eliminate such risks, and it is up to the developer to select
> appropriate storage and lookup mechansims for their specific
> problem domain.
> 
> These changes do not represent either a security DEFECT nor any
> actual security FIX.  The APR Project dis-acknowledges the
> assignment of CVE-2012-0840 as erroneous, and invalid.  Kurt, since
> you created the defect, please edit it appropriately.
> security@apache.org is always happy to consult in order to avoid
> future errors and misinformation.
> 
> Stefan, please revert your miscommit.  In the future, please run
> such things past security@apache.org before applying inaccurate
> external assignments.

So as I now understand it APR doesn't expose itself in an exploitable
manner, ergo the hash function, while technically vulnerable, cannot
really be exploited in any current way, is this correct? Does this
also take into account future changes/uses that may expose it
potentially (or is that just not possible)? If you can confirm this
then I guess the ball is in Steve's court (I'm also not sure how the
CVE rules/etc. apply in this specific instance).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPRuiqAAoJEBYNRVNeJnmTAgIQAMX99REZXiwSh1mFX4foYjss
eBy2kz1ijFtFV2rH36F2eqeEPWFo82MrLDjGDH6j1zxrKiaUnziJ8pbKm/zcpF/G
ub3FS+8lzKQ3fxI/gJAPSRCoMZwx98PI8u6YEV96WU0m6UTxNQTGcRphUhVLMRze
gFLg6aOTW7kSoWZSbexQ9M8MmXR0E0HWQL2uzxLnZUi+s5AYbIV7WntEw9iQEfNr
uGromu2UYkjZVzjU2o54K/3bWUUmuAHBzVpYj91pGvRZPHDclBOBiQgtg3TNceRZ
LQ6vU2NWuciqr/0Hz41MHB70zp/zIHLr1xbuFgXX7lOVIVGEszY79BXS5iXNpvRi
MZvygEmfWmSQ/hxJPN6yjD0aXUd7+WpnUzVbOZlAX3sB3N02TrfLzDXnugQd06Lu
G8/OPq+Gi5UISDjST/DX63ke+tV5q7lk2oswuhq8ITeQ+4fuDggEklO4jgdqCH7C
XBxe/Z6023mPqei3Ot0Bx/IrbJlXLyWMnbE2efjjb+mAg6yC8tjp93QBRJNkQ/4n
2YvTvIHS+frVkCWfKl4Y7NFwADb6EKWXfdMPd43kufDcogtbWok19/rZ+JercM4K
oCk7VnIZ2qwHUUU7KCBtXUxA+rW5qXoqgbXOzmrTMkmBfhYY7UJ+kiYEVobkRJO3
SGUF5xhBbZnkD4bQSTSi
=0OpC
-----END PGP SIGNATURE-----

Mime
View raw message