Closed Bug 741713 Opened 13 years ago Closed 8 months ago

embedded copy of expat is vulnerable to hash collision issue (CVE-2012-0876)

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Version:
11 Branch
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1374012

People

(Reporter: huzaifas, Unassigned)

Details

I am not sure if we should call this a security issue in the context of a web browser, but would rather file it as one and then call it non-security then the other way around. The DoS issue caused due to hash collision affects the expat library as well. A specially-crafted set of keys could trigger hash function collisions, which degrade dictionary performance by changing hash table operations complexity from an expected/average O(1) to the worst case O(n). Reporters were able to find colliding strings efficiently using meet in the middle attack. Since firefox embeds expat, it seems to be affects as well. I was able to reproduce a DoS which lasted for several minutes on a quad-core machine. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0876 Possible patch: https://bugzilla.redhat.com/attachment.cgi?id=564916
Bugzilla comments seems to have an issue, try #3 "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0876"
Component: General → XML
Product: Firefox → Core
QA Contact: general → xml
We don't keep client-sie DOS issue private in bugzilla; there are hundreds of simpler ways to hang the browser ;-)
Group: core-security
For posterity, this issue was fixed upstream in expat version 2.1.0: http://sourceforge.net/projects/expat/files/expat/2.1.0/ along with other CVEs: #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. - affects xmlwf tool -> not applicable to mozilla #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. - does not seem reproducible with mozilla - no obvious reason I can see and I haven't investigated further #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). - not reproducible either, but it requires DefaultHandler to be set, which only seems to happen in: https://hg.mozilla.org/mozilla-central/file/6f702709fab6/parser/htmlparser/src/nsExpatDriver.cpp#l1261 I haven't tried to exercise that code path #2958794: CVE-2012-1148 - Memory leak in poolGrow. - seems applicable to mozilla The bundled version is still 2.0.0, with no patch for the above issues applied, afaics.
Severity: minor → S4
Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1374012
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.