A vulnerability was found in Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. References: https://bugs.python.org/issue41004 https://github.com/python/cpython/pull/20956
Created mingw-python3 tracking bugs for this issue: Affects: fedora-all [bug 1854936] Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1854931] Created python26 tracking bugs for this issue: Affects: fedora-all [bug 1854934] Created python27 tracking bugs for this issue: Affects: fedora-all [bug 1854937] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1854932] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1854930] Affects: fedora-all [bug 1854938] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1854939] Created python36 tracking bugs for this issue: Affects: fedora-all [bug 1854940] Created python37 tracking bugs for this issue: Affects: fedora-all [bug 1854941] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1854942] Created python39 tracking bugs for this issue: Affects: fedora-all [bug 1854943]
The hash value returned by IPv4Interface/IPv6Interface classes is wrongly a constant value. When an IPvXInterface object is used as key of a python dictionary, the hash value is used to determine in which hash table bucket the object needs to be put. For a large number of elements, the constant hash value transforms most dictionary operation in O(n) instead of the expected O(1), making a program much slower.
python3 embeds the ipaddress module, where the flaw lies. Instead python2 does not embeds it, but a separate python-ipaddress package is provided. Moreover, the ipaddress module is usually embedded in python-pip as well.
Statement: In Red Hat Enterprise Linux, python3 includes the ipaddress module by default, while for python2 a separate package, python-ipaddress, needs to be installed for the module to be used. Moreover, the ipaddress module is included in other packages as well, like python-pip.
Created python-ipaddress tracking bugs for this issue: Affects: fedora-all [bug 1857292] Created python-pip tracking bugs for this issue: Affects: epel-all [bug 1857294] Affects: fedora-all [bug 1857293]
Pip does not have dictionaries containing IPv4Interface or IPv6Interface objects. I don't think it's worth patching the bundled ipaddress module in it.
Mitigation: As a short term solution, if your application is using the IPv4Interface/IPv6Interface classes as keys of a dictionary, it is possible to patch the __hash__ method of those classes to not be constant. ``` IPv4Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address))) IPv6Interface.__hash__ = lambda self: hash((self._ip, self._prefixlen, int(self.network.network_address))) ```
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14422
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5010 https://access.redhat.com/errata/RHSA-2020:5010