[php-maint] Bug#800564: Bug#800564: php5: trivial hash complexity DoS attack

[Ondřej Surý]

Hi Brian,

did you already reported this to php security or should I do that? 

Cheers,
Ondrej

On Fri, Oct 2, 2015, at 14:37, brian m. carlson wrote:
> On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> > Package: php5-cli
> > Version: 5.6.13+dfsg-2
> > Severity: important
> > Tags: security
> > 
> > PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> > without the use of any secret key.  Hash values are therefore the same
> > between multiple invocations.  As a result, it's trivial to precompute a
> > set of values that all hash to the same bucket and cause positively
> > abysmal performance.
> > 
> > If a script accepts untrusted hash keys, such as from JSON input, it is
> > subject to a DoS attack.  PHP implemented the max_input_vars option, but
> > this is not effective in the general case, especially in the era of
> > JSON-laden POST requests.  Perl, Python, and Ruby have all addressed
> > their CVEs properly, but PHP has not and as a result is still
> > vulnerable.
> 
> It was pointed out to me that I should mention which CVEs apply here for
> reference.
> 
> Python had CVE-2012-1150 and CVE-2013-7040.  Ruby had CVE-2011-4815.  I
> can't find a CVE for Perl's 2003 fix, if one exists.  The fix, which
> went into 5.8, was incomplete and was addressed by CVE-2013-1667.
> -- 
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server