oss-sec mailing list archives
Re: CVE-2013-6401 Jansson hash collision issue
From: Murray McAllister <mmcallis () redhat com>
Date: Wed, 12 Feb 2014 00:29:50 +1100
On 02/12/2014 12:20 AM, Murray McAllister wrote:
As reported to the distros mailing list: Hi all, Florian Weimer of the Red Hat Product Security Team found that the hashing implementation in Jansson, a library for encoding, decoding and manipulating JSON data, was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause an application using Jansson to use an excessive amount of CPU time by sending a crafted JSON document containing a large number of parameters whose names map to the same hash value. (CVE-2013-6401) With regards to affected versions, I am guessing only 2.4-2 and 2.4-3 were checked (by Red Hat). Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their extensive work on the patch: https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4 (Feel free to copy the above CVE-2013-6401 description paragraph in any of your bugs or advisories.) Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 (to be opened shortly) Cheers, -- Murray McAllister / Red Hat Security Response Team
This commit is also needed: https://github.com/akheron/jansson/commit/42016a35c8907e477be73b0b5d06cc09af231ee4
Current thread:
- CVE-2013-6401 Jansson hash collision issue Murray McAllister (Feb 11)
- Re: CVE-2013-6401 Jansson hash collision issue Murray McAllister (Feb 11)