CVE-2012-0839

Priority
Low
Description
OCaml 3.12.1 and earlier computes hash values without restricting the
ability to trigger hash collisions predictably, which allows
context-dependent attackers to cause a denial of service (CPU consumption)
via crafted input to an application that maintains a hash table.
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0839
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.mail-archive.com/caml-list@inria.fr/msg01477.html
http://openwall.com/lists/oss-security/2012/02/07/1
Bugs
http://caml.inria.fr/mantis/view.php?id=5572
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659149
Notes
mdeslaur> New randomization turned off by default and must be specifically
mdeslaur> turned on by application. See upstream bug report.
mdeslaur> Downgrading severity to low, since upstream won't change default
mdeslaur> behaviour.
Package
Source: ocaml (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 10.04 LTS (Lucid Lynx):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 12.10 (Quantal Quetzal):needed
Ubuntu 13.04 (Raring Ringtail):needed
Ubuntu 13.10 (Saucy Salamander):needed
Patches:
Upstream:http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12383 (4.00)
Upstream:http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12384 (trunk)
More Information

Valid XHTML 1.0 Strict

Updated: 2013-05-22 14:14:50 UTC (commit 6866)