PublicDateAtUSN: 2012-11-28
Candidate: CVE-2012-5371
PublicDate: 2012-11-28 13:03:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5371
 https://www.131002.net/data/talks/appsec12_slides.pdf
 https://bugzilla.redhat.com/show_bug.cgi?id=875236
 http://xforce.iss.net/xforce/xfdb/79993
 http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
 http://www.ocert.org/advisories/ocert-2012-001.html
 http://securitytracker.com/id?1027747
 http://secunia.com/advisories/51253
 http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
 http://2012.appsec-forum.ch/conferences/#c17
 https://ubuntu.com/security/notices/USN-1733-1
Description:
 Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash
 values without properly restricting the ability to trigger hash collisions
 predictably, which allows context-dependent attackers to cause a denial of
 service (CPU consumption) via crafted input to an application that
 maintains a hash table, as demonstrated by a universal multicollision
 attack against a variant of the MurmurHash2 algorithm, a different
 vulnerability than CVE-2011-4815.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693024
Priority: low
Discovered-by: Jean-Philippe Aumasson
Assigned-to: mdeslaur
CVSS: 

Patches_ruby1.8:
upstream_ruby1.8: not-affected
hardy_ruby1.8: ignored (reached end-of-life)
lucid_ruby1.8: not-affected (1.8.7.249-2ubuntu0.2)
oneiric_ruby1.8: not-affected (1.8.7.352-2ubuntu0.2)
precise_ruby1.8: not-affected (1.8.7.352-2ubuntu1.1)
quantal_ruby1.8: not-affected (1.8.7.358-4ubuntu0.1)
raring_ruby1.8: not-affected (1.8.7.358-6ubuntu1)
saucy_ruby1.8: not-affected (1.8.7.358-6ubuntu1)
devel_ruby1.8: not-affected (1.8.7.358-6ubuntu1)

Patches_ruby1.9.1:
 upstream: http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37600
 vendor: http://patch-tracker.debian.org/patch/series/view/ruby1.9.1/1.9.3.194-7/20121120-cve-2012-5371.diff
upstream_ruby1.9.1: released (1.9.3.194-4, 1.9.3 pl 327)
hardy_ruby1.9.1: DNE
lucid_ruby1.9.1: ignored (reached end-of-life)
oneiric_ruby1.9.1: ignored (reached end-of-life)
precise_ruby1.9.1: released (1.9.3.0-1ubuntu2.5)
quantal_ruby1.9.1: released (1.9.3.194-1ubuntu1.3)
raring_ruby1.9.1: released (1.9.3.194-7ubuntu1)
saucy_ruby1.9.1: released (1.9.3.194-7ubuntu1)
devel_ruby1.9.1: released (1.9.3.194-7ubuntu1)