#496 CVE-2012-0876 - Hash DOS attack

Test Required
closed-fixed
None
7
2016-03-12
2012-03-03
No

The hash table implementation in Expat can be attacked by a carefully crafted input document where all identifiers hash to the same value.
This leads to a denial of service scenario by forcing hash table lookups to do linear searching.
CVE-2012-0876 (see http://http://www.cve.mitre.org\) has been reserved for this issue.
Also discussed on bugs.python.org/issue13703#msg151870 .

Discussion

  • Karl Waclawek

    Karl Waclawek - 2012-03-03

    Fixed in expat.h rev 1.81 and xmlparse.c rev 1.168.
    Thanks to David Malcolm (RedHat) for providing me with the initial version of the patch.

     
  • Karl Waclawek

    Karl Waclawek - 2012-03-03
    • milestone: --> Test Required
    • status: open --> open-fixed
     
  • Sebastian Pipping

    • status: open-fixed --> closed-fixed
     
  • Sebastian Pipping

    Fixed since 2.1.0, commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d, closing.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks