Mar 042013

The following message concerns a hash-related flaw in perl 5

This issue affects all production versions of perl from 5.8.2 to 5.16.x. It does not affect the upcoming perl 5.18.

In order to prevent an algorithmic complexity attack against its hashing mechanism, perl will sometimes recalculate keys and redistribute the contents of a hash.  This mechanism has made perl robust against attacks that have been demonstrated against other systems.

Research by Yves Orton has recently uncovered a flaw in the rehashing code which can result in pathological behavior.  This flaw could be exploited to carry out a denial of service attack against code that uses arbitrary user input as hash keys.

Because using user-provided strings as hash keys is a very common operation, we urge users of perl to update their perl executable as soon as possible.

Updates to address this issue have been pushed to maint-5.8, maint-5.10maint-5.12, maint-5.14, and maint-5.16 branches today, perl 5.14.4 and 5.16.3 will be released soon, including these fixes. There is no plan to make a new release of any other version.

Vendors* were informed of this problem two weeks ago and are expected to be shipping updates today (or otherwise very soon).

bleadperl is not affected.

This issue has been assigned the identifier CVE-2013-1667.

  4 Responses to “Rehashing flaw – updates available”

  1. […] 5.16.3 has just been released including the fix for the Rehashing flaw and is a recommended update for all 5.16 […]

  2. […] It is recommend that you upgrade as these address the recent rehashing flaw. […]

  3. We use perl 5.8.3 throughout our environment. Do you have rehashing flaw updates to that release number?

    • Xinhuan,

      The story says:

      perl 5.14.4 and 5.16.3 will be released soon, including these fixes. There is no plan to make a new release of any other version

      So, no, is the answer to your question.

      For more details see the section on Support and Maintenance in perldoc perlpolicy. It says:

      We “officially” support the two most recent stable release series. 5.12.x and earlier are now out of support. As of the release of 5.18.0, we will “officially” end support for Perl 5.14.x, other than providing security updates as described below.

      So Perl 5.8.3 is well outside its window of support. The same document also says:

      To the best of our ability, we will provide “critical” security patches / releases for any major version of Perl whose 5.x.0 release was within the past three years. We can only commit to providing these for the most recent .y release in any 5.x.y series.

      I’m pretty sure that this fix qualifies as a critical security patch. However version 5.8.3 falls outside of even this policy for two reasons. Firstly because 5.8.0 was not released in the last three years (it was released in 2002) and secondly because 5.8.3 is not the most recent release in the 5.8.x series (that was 5.8.9).

      So, no, you really can’t expect to see a patched release from the Perl 5 Porters. As I see it, you have three options.

      1/ Contact your vendor and ask them for a patched version.
      2/ Build your own new version from the maint-5.8 branch. But note that this will almost certainly be a patched version of 5.8.9.
      3/ Accept that you’ve made a bit of blunder by letting your version of Perl get so out of date and use this as a reason to update to a supported version of Perl

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>