Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2020-14422] Resolve hash collisions for IPv4Interface and IPv6Interface #56

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[CVE-2020-14422] Resolve hash collisions for IPv4Interface and IPv6Interface #56

wants to merge 1 commit into from

Conversation

frenzymadness
Copy link

The hash() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation

Fixes: #55

Backported from: python/cpython@bd32b1f

Ir you prefert to wait for the next Python 3.8 release, please let me know.

@frenzymadness
Resolve hash collisions for IPv4Interface and IPv6Interface
b550884 
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation

Fixes: phihag#55
@phihag
Copy link
Owner

phihag commented Aug 3, 2020

Sorry that it took so long, but I'm currently working on updating to the current cpython version of ipaddress. Unfortunately, there's a high number of merge conflicts. I'll look at them, and if I don't get it done soon, will merge this quickfix.

@frenzymadness
Copy link
Author

No worries. I've also made a mistake because this commit is not marked as released on Github but it actually is released in 3.8.4.

So, update to the latest cpython version should be enough or you can release just this fix if the update would take too long.

@zoofood
Copy link

zoofood commented Sep 22, 2020

Hi @phihag! Just a friendly note that I too would like to see this issue resolved. If there is anything I can do to help it along, let me know!

@frenzymadness
Copy link
Author

Hello. Could we please move this forward? We can either help you to update the package to the latest cpython version or you can just merge and release this fix. After all, it's a moderate severity CVE and this package is a dependency of many very popular libraries.

@shadchin
Copy link

shadchin commented Nov 1, 2020

Hi! Can you make a release with this fix?

@frenzymadness frenzymadness mentioned this pull request Nov 18, 2020
Open
@frenzymadness
Copy link
Author

I'm gonna try to update this package from the upstream Python. If you want to help, follow my progress in #59

@zoofood
Copy link

zoofood commented Nov 18, 2020

@frenzymadness @shadchin We (ActiveState) forked it and fixed it here: https://github.com/ActiveState/ipaddress. Obviously not ideal as it would be best if this project was the canonical source but the CVE has been addressed.

@frenzymadness
Copy link
Author

@zoofood Thanks for the info. I can also maintain this patch downstream (on RPM level) but I'd rather fix this project.

@frenzymadness frenzymadness mentioned this pull request Nov 20, 2020
Open
@frenzymadness
Copy link
Author

A PR with an update to the CPython 3.8 is available at #60

@mogul
Copy link

mogul commented May 12, 2021

Is this going to be merged? Is there anything we can do to help that happen soon?

This was referenced Dec 26, 2022
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AaronRobson AaronRobson AaronRobson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface
6 participants
@frenzymadness @phihag @zoofood @shadchin @mogul @AaronRobson