Red Hat Bugzilla – Bug 787888
CVE-2012-0839 ocaml: hash table collisions CPU usage DoS (oCERT-2011-003)
Last modified: 2014-06-12 14:37:07 EDT
Julian Wälde and Alexander Klink reported a flaw in the hash function used in
the implementation of various hash based arrays.
A specially-crafted set of keys could trigger hash function collisions, which
degrade hash table performance by changing hash table operations complexity
from an expected/average O(1) to the worst case O(n). Reporters were able to
find colliding strings efficiently using equivalent substrings or meet in the
This problem is similar to the issue that was previously reported for and fixed
in e.g. perl:
Discussion of a fix for ocaml is taking place in this email thread:
Are we proposing to fix this for RHEL too? There are
no OCaml applications in RHEL which are vulnerable to this.
We ship the ocaml language so ideally we need to fix it for our customers that do use it. Emailed ocaml to confirm if they're done fixing it.
(In reply to comment #2)
> We ship the ocaml language so ideally we need to fix it for our customers that
> do use it. Emailed ocaml to confirm if they're done fixing it.
Where is this email?
Anyway, upstream haven't started fixing it. There is
opposition from people who want Hashtbl to work
reproducibly (naturally without them having to make any
changes to their code nor to their workflow).
I misspoke, they are still discussing fixing it in this thread:
"OCaml 3.13 will provide options for Hashtbl allowing it pass a seed, but
only in a case by case way. What will not be included in OCaml 3.13 is
access to RNGs with entropy injection (i.e. it is left to the programmer
to solve this difficulty)."
According to Xavier Leroy Xavier.Leroy@inria.fr:
We decided to skip the 3.13 release entirely and go straight to 4.00.
The 4.00 release is scheduled for June 2012.
Fixed in SVN:
http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12383 (4.0 branch)
I've also noticed the following fix in ocamlnet 3.5.1:
We don't seem to ship this in RHEL, but Fedora 16 and 17 include versions earlier then 3.5.1. Rawhide contains 3.5.1 already.
Created ocaml-ocamlnet tracking bugs for this issue
Affects: fedora-all [bug 842637]
Created ocaml tracking bugs for this issue
Affects: fedora-all [bug 842636]
Affects: epel-4 [bug 842638]
Affects: epel-5 [bug 842639]
This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6. OCaml is only shipped via unsupported Optional repository as a build dependency. Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates. The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7.
The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.