Similar to the denial of service flaw present in various programming languages' hash function usage, a flaw was found in expat:
A specially-crafted set of keys could trigger hash function collisions, which
degrade dictionary performance by changing hash table operations complexity
from an expected/average O(1) to the worst case O(n). Reporters were able to
find colliding strings efficiently using meet in the middle attack.
This problem is similar to the issue that was previously reported for and fixed
in e.g. perl:
This is sort of public due to discussion on the embedded expat in python:
Created attachment 558928 [details]
potential patch to correct the flaw against upstream CVS version
Patch provided by David Malcolm to possibly correct the flaw.
Created attachment 564791 [details]
proposed upstream patch
Upstream has provided this patch to solve the issue, and would be part of expat 2.1.0. Unfortunately, it has an extra bit that we probably don't need ((it allows extracting of attribute position info), and is also against CVS HEAD so would need some massaging.
Packages that require expat:
*** Bug 787080 has been marked as a duplicate of this bug. ***
Created attachment 564916 [details]
trimmed version of patch
Thanks Vincent, here's a trimmed down version of that patch which removes all the irrelevant changes. It still passes the upstream test suite.
This is public now.
r1.168 in xmlparse.c has the patch:
Adding this information for completeness:
#3496608: CVE-2012-0876 - Hash DOS attack.
(In reply to comment #22)
The upstream fix may also create a regression:
expat-2.1.0-beta2 will fail a namespace-aware parse of a document relying on the "xml" being bound by default, like the following test document:
xmlwf -n on that document returns "2:0: unbound prefix", while xmlwf from expat 2.0.1 succeeds.
This seems to be caused by the call to setContext(parser, implicitContext) adding that default prefix happening too early (before hash_secret_salt is initialized).
Dave, it has version 2.1.0, so python would require >= 2.1.0.
(If upstream used symbol versioning the runtime deps would work automagically but I don't think it's a great idea to patch in symversions)
expat-2.1.0-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
Via RHSA-2012:0731 https://rhn.redhat.com/errata/RHSA-2012-0731.html
Created compat-expat1 tracking bugs for this issue:
Affects: fedora-all [bug 982563]
This issue has been addressed in the following products:
JBoss Web Server 2.1.0
Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html