-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2020-14422] Resolve hash collisions for IPv4Interface and IPv6Interface #56
base: master
Are you sure you want to change the base?
Conversation
The __hash__() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation Fixes: phihag#55
Sorry that it took so long, but I'm currently working on updating to the current cpython version of ipaddress. Unfortunately, there's a high number of merge conflicts. I'll look at them, and if I don't get it done soon, will merge this quickfix. |
No worries. I've also made a mistake because this commit is not marked as released on Github but it actually is released in 3.8.4. So, update to the latest cpython version should be enough or you can release just this fix if the update would take too long. |
Hi @phihag! Just a friendly note that I too would like to see this issue resolved. If there is anything I can do to help it along, let me know! |
Hello. Could we please move this forward? We can either help you to update the package to the latest cpython version or you can just merge and release this fix. After all, it's a moderate severity CVE and this package is a dependency of many very popular libraries. |
Hi! Can you make a release with this fix? |
I'm gonna try to update this package from the upstream Python. If you want to help, follow my progress in #59 |
@frenzymadness @shadchin We (ActiveState) forked it and fixed it here: https://github.com/ActiveState/ipaddress. Obviously not ideal as it would be best if this project was the canonical source but the CVE has been addressed. |
@zoofood Thanks for the info. I can also maintain this patch downstream (on RPM level) but I'd rather fix this project. |
A PR with an update to the CPython 3.8 is available at #60 |
Is this going to be merged? Is there anything we can do to help that happen soon? |
The hash() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
Fixes: #55
Backported from: python/cpython@bd32b1f
Ir you prefert to wait for the next Python 3.8 release, please let me know.