Bug 787888 (CVE-2012-0839)
| Summary: | CVE-2012-0839 ocaml: hash table collisions CPU usage DoS (oCERT-2011-003) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | c.david86, fedora-ocaml-list, rjones |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-12 18:37:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 842636, 842637, 842638, 842639 | ||
| Bug Blocks: | 770929, 787889 | ||
|
Description
Kurt Seifried
2012-02-07 01:18:04 UTC
Are we proposing to fix this for RHEL too? There are no OCaml applications in RHEL which are vulnerable to this. We ship the ocaml language so ideally we need to fix it for our customers that do use it. Emailed ocaml to confirm if they're done fixing it. (In reply to comment #2) > We ship the ocaml language so ideally we need to fix it for our customers that > do use it. Emailed ocaml to confirm if they're done fixing it. Where is this email? Anyway, upstream haven't started fixing it. There is opposition from people who want Hashtbl to work reproducibly (naturally without them having to make any changes to their code nor to their workflow). I misspoke, they are still discussing fixing it in this thread: http://www.mail-archive.com/caml-list@inria.fr/msg02104.html "OCaml 3.13 will provide options for Hashtbl allowing it pass a seed, but only in a case by case way. What will not be included in OCaml 3.13 is access to RNGs with entropy injection (i.e. it is left to the programmer to solve this difficulty)." According to Xavier Leroy Xavier.Leroy: We decided to skip the 3.13 release entirely and go straight to 4.00. The 4.00 release is scheduled for June 2012. http://caml.inria.fr/mantis/view.php?id=5572 Fixed in SVN: http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=11056 http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12383 (4.0 branch) http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12384 (trunk) I've also noticed the following fix in ocamlnet 3.5.1: https://godirepo.camlcity.org/wwwsvn?rev=1683&root=lib-ocamlnet2&view=rev We don't seem to ship this in RHEL, but Fedora 16 and 17 include versions earlier then 3.5.1. Rawhide contains 3.5.1 already. Created ocaml-ocamlnet tracking bugs for this issue Affects: fedora-all [bug 842637] Created ocaml tracking bugs for this issue Affects: fedora-all [bug 842636] Affects: epel-4 [bug 842638] Affects: epel-5 [bug 842639] This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6. OCaml is only shipped via unsupported Optional repository as a build dependency. Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates. The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7. Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |