Red Hat Bugzilla – Bug 750575
CVE-2011-5037 v8: hash table collisions CPU usage DoS (oCERT-2011-003)
Last modified: 2015-07-31 02:45:22 EDT
A specially-crafted set of keys could trigger hash function collisions, which can degrade performance of hash table operations complexity from an expected/average O(1) to the worst case O(n). Reporters were able to find colliding strings efficiently using meet in the middle attack.
v8 JS engine can also be used to implement server component, such as node.js platform. In such use case, a remote attacker could possibly use this problem to trigger an excessive CPU use via specially-crafted request (such as HTTP POST request with many parameters that generate hash collisions).
This problem is similar to the issue that was previously reported for and fixed
in e.g. perl:
Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters.
This issue was presented on 28C3:
Details were posted to full-disclosure:
n.runs advisory (copy of the full-disclosure post):
28C3 slides and recording:
Another good write-up of the issue:
v8 is available in Fedora. Can it be used with node.js?
First, of all, note that Node.js is not presently included in Fedora due to bundled library issues. The v8 in Fedora has been orphaned and likely will be removed from the distro in F17. I submitted the last review for node and pushed the most recent update to v8 in Fedora with the help of a provenpackager. I also maintain a third-party repository for node until we can work out the bundled library issues and get it into Fedora proper.
The current stable v0.6.x series of node requires v8 3.6.6 or higher, which is API and ABI-incompatible with the version included with Fedora. (For this reason, I ship an updated v8 in my repository.) The version of v8 included with F16, rawhide and EPEL6 is only compatible with the Node v0.4.x series, which is no longer maintained. IIRC, the version included with F15 (and EPEL5 I think) is even older (it dates back to a much earlier review), and is only compatible with node v0.2.x, which is long dead.
v0.6.x has already fixed several security flaws, so anyone actually using Fedora's v8 w/node must already be subject to other security problems. I'm not sure fixing this one helps them much. That being said, I can take a look at backporting a fix when/if v8 upstream provides one.
As for people using modern node on Fedora and RHEL: they're either using my repository or building from source. I'll ship an updated v8 for the former as soon as it's fixed. The latter are probably statically linking the copy of v8 bundled with the node tarball, and Node upstream will almost certainly provide a v0.6 patch release for them.
Thank you for the detailed reply. I'd say that if Fedora v8 packages are not really expected to be used with current (fully-patched) Node.js, fixing it for this issue should be of low priority.
I backported the fix for this to the v8 in F16:
Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3631765
Created attachment 551564 [details]
v8 hash collision fix
In reply to comment #13)
> I backported the fix for this to the v8 in F16:
> Scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=3631765
Attaching patch here, as scratch builds are deleted after some time.
Seems to be based on the following upstream commits:
Sorry, I meant to link to the complete patchset upstream. It's here:
Fixed in current Fedora/EPEL V8