CVE-2012-1150

Published: 09 March 2012

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Priority

Medium

Status

Package Release Status
python2.4
Launchpad, Ubuntu, Debian
Upstream Needs triage

python2.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

python2.6
Launchpad, Ubuntu, Debian
Upstream
Released (2.6.8)
Patches:
Upstream: http://hg.python.org/cpython/rev/6b7704fe1be1
python2.7
Launchpad, Ubuntu, Debian
Upstream
Released (2.7.3~rc1-1)
Patches:
Upstream: http://hg.python.org/cpython/rev/a0f43f4481e0
python3.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Upstream: http://hg.python.org/cpython/rev/f4b7ecf8a5f8 (pt1)
Upstream: http://hg.python.org/cpython/rev/ab1886e7fc19 (pt2)
python3.2
Launchpad, Ubuntu, Debian
Upstream
Released (3.2.3~rc1-1)
Patches:
Upstream: http://hg.python.org/cpython/rev/ed76dc34b39d

Notes

AuthorNote
jdstrand patch does not change the default, so the risk of backporting to python2.5 and python2.4 outweighs the benefit of adding the patch. Ubuntu 8.04 LTS who require this patch should upgrade to Ubuntu 10.04 LTS or another supported release. the patch for 3.2 on oneiric is somewhere between the upstream 3.1 and 3.2 patches. Specifically, need the Modules/_datetimemodule.c changes

References

Bugs