Re: CVE-2013-6401 Jansson hash collision issue

[Murray McAllister <mmcallis () redhat com>]

On 02/12/2014 12:20 AM, Murray McAllister wrote:
> As reported to the distros mailing list:
>
> Hi all,
>
> Florian Weimer of the Red Hat Product Security Team found that the
> hashing implementation in Jansson, a library for encoding, decoding and
> manipulating JSON data, was susceptible to predictable hash collisions.
> A remote attacker could use this flaw to cause an application using
> Jansson to use an excessive amount of CPU time by sending a crafted JSON
> document containing a large number of parameters whose names map to the
> same hash value. (CVE-2013-6401)
>
> With regards to affected versions, I am guessing only 2.4-2 and 2.4-3
> were checked (by Red Hat).
>
> Many thanks to Florian Weimer and Petri Lehtinen (upstream) for their
> extensive work on the patch:
>
> https://github.com/akheron/jansson/commit/8f80c2d83808150724d31793e6ade92749b1faa4
>
> (Feel free to copy the above CVE-2013-6401 description paragraph in any
> of your bugs or advisories.)
>
> Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1035538 (to be
> opened shortly)
>
> Cheers,
>
> --
> Murray McAllister / Red Hat Security Response Team

This commit is also needed:

https://github.com/akheron/jansson/commit/42016a35c8907e477be73b0b5d06cc09af231ee4