Julian Wälde and Alexander Klink reported a flaw in the hash function used in the implementation of various hash based arrays. http://caml.inria.fr/pub/docs/manual-ocaml/libref/Hashtbl.html A specially-crafted set of keys could trigger hash function collisions, which degrade hash table performance by changing hash table operations complexity from an expected/average O(1) to the worst case O(n). Reporters were able to find colliding strings efficiently using equivalent substrings or meet in the middle techniques. This problem is similar to the issue that was previously reported for and fixed in e.g. perl: http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf Discussion of a fix for ocaml is taking place in this email thread: http://www.mail-archive.com/caml-list@inria.fr/msg01477.html
Are we proposing to fix this for RHEL too? There are no OCaml applications in RHEL which are vulnerable to this.
We ship the ocaml language so ideally we need to fix it for our customers that do use it. Emailed ocaml to confirm if they're done fixing it.
(In reply to comment #2) > We ship the ocaml language so ideally we need to fix it for our customers that > do use it. Emailed ocaml to confirm if they're done fixing it. Where is this email? Anyway, upstream haven't started fixing it. There is opposition from people who want Hashtbl to work reproducibly (naturally without them having to make any changes to their code nor to their workflow).
I misspoke, they are still discussing fixing it in this thread: http://www.mail-archive.com/caml-list@inria.fr/msg02104.html "OCaml 3.13 will provide options for Hashtbl allowing it pass a seed, but only in a case by case way. What will not be included in OCaml 3.13 is access to RNGs with entropy injection (i.e. it is left to the programmer to solve this difficulty)."
According to Xavier Leroy Xavier.Leroy: We decided to skip the 3.13 release entirely and go straight to 4.00. The 4.00 release is scheduled for June 2012. http://caml.inria.fr/mantis/view.php?id=5572
Fixed in SVN: http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=11056 http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12383 (4.0 branch) http://caml.inria.fr/cgi-bin/viewvc.cgi?view=revision&revision=12384 (trunk) I've also noticed the following fix in ocamlnet 3.5.1: https://godirepo.camlcity.org/wwwsvn?rev=1683&root=lib-ocamlnet2&view=rev We don't seem to ship this in RHEL, but Fedora 16 and 17 include versions earlier then 3.5.1. Rawhide contains 3.5.1 already.
Created ocaml-ocamlnet tracking bugs for this issue Affects: fedora-all [bug 842637]
Created ocaml tracking bugs for this issue Affects: fedora-all [bug 842636] Affects: epel-4 [bug 842638] Affects: epel-5 [bug 842639]
This issue does not affect any OCaml applications shipped in Red Hat Enterprise Linux 6. OCaml is only shipped via unsupported Optional repository as a build dependency. Therefore, this issue is not planned to be addressed in future Red Hat Enterprise Linux 6 updates. The fix is included in OCaml packages shipped as part of Red Hat Enterprise Linux 7. Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.