-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface #85176
Comments
In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes' hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS. The root of this is on line 1421 and 2095. On both lines, self._ip and self.network.network_address will both be same, and when xor is applied they will cancel eachother out, leaving return self._prefixlen . The fix is trivial, on line 1421, change to: and on line 2095, change to: |
Good catch. Your approach seems like a good one. |
Forgot to add, this applies to all versions, 3.10, 3.9, 3.8, 3.7, 3.6, 3.5 |
Can I make a PR for this? |
Absolutely, go ahead Amir |
Changing versions to where the fix would be applied. |
Hi But add the fix to the existing versions (3.8, 3.9 and 3.10), do I need to raise PR for each of those branches? |
No @rvteja92, you don't need open multiple PRs, only make your changes on master branch. for more informations read this: And for the CLA sign it will take a while to be updated. |
Hi My CLA has been approved. Can someone review the PR. |
Ned: what are your thoughts on backporting this as a security issue? |
As Eric said, this issue is assigned a CVE-2020-14422. I am +1 on merge this PRs as the security patch. |
A legitimate CVE should certainly be backported to all applicable releases, so, yes. However, I think that it is important for the CVE to be mentioned in the NEWS blurbs for each commit. So please update the NEWS items in each open PR to include the CVE. For master and 3.9 (if you hurry), you can update the original blurb file. For 3.8, the blurb file is in the process of being merged into the blurb for the release; for it, wait until the v3.8.4rc1 has been merged back into the main cpython repo and then update the merged the blob, please. Thanks! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: