Return-Path: 
 <dev-return-24744-apmail-apr-dev-archive=apr.apache.org@apr.apache.org>
X-Original-To: apmail-apr-dev-archive@www.apache.org
Delivered-To: apmail-apr-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CD28A9885
	for <apmail-apr-dev-archive@www.apache.org>;
 Fri, 24 Feb 2012 02:28:45 +0000 (UTC)
Received: (qmail 96762 invoked by uid 500); 24 Feb 2012 02:28:45 -0000
Delivered-To: apmail-apr-dev-archive@apr.apache.org
Received: (qmail 96636 invoked by uid 500); 24 Feb 2012 02:28:44 -0000
Mailing-List: contact dev-help@apr.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:dev@apr.apache.org>
List-Help: <mailto:dev-help@apr.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@apr.apache.org>
List-Id: <dev.apr.apache.org>
Delivered-To: mailing list dev@apr.apache.org
Received: (qmail 96621 invoked by uid 99); 24 Feb 2012 02:28:44 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Feb 2012 02:28:44 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [64.202.165.47] (HELO smtpauth23.prod.mesa1.secureserver.net)
 (64.202.165.47)
    by apache.org (qpsmtpd/0.29) with SMTP; Fri, 24 Feb 2012 02:28:38 +0000
Received: (qmail 24058 invoked from network); 24 Feb 2012 02:28:16 -0000
Received: from unknown (76.252.112.72)
  by smtpauth23.prod.mesa1.secureserver.net (64.202.165.47) with ESMTP;
 24 Feb 2012 02:28:16 -0000
Message-ID: <4F46F5AB.7050502@rowe-clan.net>
Date: Thu, 23 Feb 2012 20:27:55 -0600
From: "William A. Rowe Jr." <wrowe@rowe-clan.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: APR Developer List <dev@apr.apache.org>
Subject: Fwd: Re: Hash collision vectors in APR?
References: <4F46E8AE.1060806@redhat.com>
In-Reply-To: <4F46E8AE.1060806@redhat.com>
X-Forwarded-Message-Id: <4F46E8AE.1060806@redhat.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Forwarded for Kurt, as he's not subscribed.

-------- Original Message --------
Subject: Re: Hash collision vectors in APR?
Date: Thu, 23 Feb 2012 18:32:30 -0700
From: Kurt Seifried <kseifried@redhat.com>
To: William A. Rowe Jr. <wrowe@rowe-clan.net>
CC: APR Developer List <dev@apr.apache.org>, Stefan Fritsch <sf@sfritsch.de>,
"Steven M. Christey" <coley@linus.mitre.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies for the delayed reply.

CC'ing Steve since I can't actually remove or edit CVE's, just assign
them.

On 02/22/2012 09:49 AM, William A. Rowe Jr. wrote:
> After extensive consultation with the security projects of various
> APR consumers, it's apparent that there are no actual
> vulnerabilities to be exploited here.  Contrary to Mr Seifreid's
> confusion, the recent code changes reflect a possibility of
> mitigating potential hash collisions, but certainly do not and can
> not eliminate such risks, and it is up to the developer to select
> appropriate storage and lookup mechansims for their specific
> problem domain.
> 
> These changes do not represent either a security DEFECT nor any
> actual security FIX.  The APR Project dis-acknowledges the
> assignment of CVE-2012-0840 as erroneous, and invalid.  Kurt, since
> you created the defect, please edit it appropriately.
> security@apache.org is always happy to consult in order to avoid
> future errors and misinformation.
> 
> Stefan, please revert your miscommit.  In the future, please run
> such things past security@apache.org before applying inaccurate
> external assignments.

So as I now understand it APR doesn't expose itself in an exploitable
manner, ergo the hash function, while technically vulnerable, cannot
really be exploited in any current way, is this correct? Does this
also take into account future changes/uses that may expose it
potentially (or is that just not possible)? If you can confirm this
then I guess the ball is in Steve's court (I'm also not sure how the
CVE rules/etc. apply in this specific instance).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPRuiqAAoJEBYNRVNeJnmTAgIQAMX99REZXiwSh1mFX4foYjss
eBy2kz1ijFtFV2rH36F2eqeEPWFo82MrLDjGDH6j1zxrKiaUnziJ8pbKm/zcpF/G
ub3FS+8lzKQ3fxI/gJAPSRCoMZwx98PI8u6YEV96WU0m6UTxNQTGcRphUhVLMRze
gFLg6aOTW7kSoWZSbexQ9M8MmXR0E0HWQL2uzxLnZUi+s5AYbIV7WntEw9iQEfNr
uGromu2UYkjZVzjU2o54K/3bWUUmuAHBzVpYj91pGvRZPHDclBOBiQgtg3TNceRZ
LQ6vU2NWuciqr/0Hz41MHB70zp/zIHLr1xbuFgXX7lOVIVGEszY79BXS5iXNpvRi
MZvygEmfWmSQ/hxJPN6yjD0aXUd7+WpnUzVbOZlAX3sB3N02TrfLzDXnugQd06Lu
G8/OPq+Gi5UISDjST/DX63ke+tV5q7lk2oswuhq8ITeQ+4fuDggEklO4jgdqCH7C
XBxe/Z6023mPqei3Ot0Bx/IrbJlXLyWMnbE2efjjb+mAg6yC8tjp93QBRJNkQ/4n
2YvTvIHS+frVkCWfKl4Y7NFwADb6EKWXfdMPd43kufDcogtbWok19/rZ+JercM4K
oCk7VnIZ2qwHUUU7KCBtXUxA+rW5qXoqgbXOzmrTMkmBfhYY7UJ+kiYEVobkRJO3
SGUF5xhBbZnkD4bQSTSi
=0OpC
-----END PGP SIGNATURE-----