Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2020-14422] Resolve hash collisions for IPv4Interface and IPv6Interface #56

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

frenzymadness
Copy link

The hash() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation

Fixes: #55

Backported from: python/cpython@bd32b1f

Ir you prefert to wait for the next Python 3.8 release, please let me know.

The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation

Fixes: phihag#55
@phihag
Copy link
Owner

phihag commented Aug 3, 2020

Sorry that it took so long, but I'm currently working on updating to the current cpython version of ipaddress. Unfortunately, there's a high number of merge conflicts. I'll look at them, and if I don't get it done soon, will merge this quickfix.

@frenzymadness
Copy link
Author

No worries. I've also made a mistake because this commit is not marked as released on Github but it actually is released in 3.8.4.

So, update to the latest cpython version should be enough or you can release just this fix if the update would take too long.

@zoofood
Copy link

zoofood commented Sep 22, 2020

Hi @phihag! Just a friendly note that I too would like to see this issue resolved. If there is anything I can do to help it along, let me know!

@frenzymadness
Copy link
Author

Hello. Could we please move this forward? We can either help you to update the package to the latest cpython version or you can just merge and release this fix. After all, it's a moderate severity CVE and this package is a dependency of many very popular libraries.

@shadchin
Copy link

shadchin commented Nov 1, 2020

Hi! Can you make a release with this fix?

@frenzymadness
Copy link
Author

I'm gonna try to update this package from the upstream Python. If you want to help, follow my progress in #59

@zoofood
Copy link

zoofood commented Nov 18, 2020

@frenzymadness @shadchin We (ActiveState) forked it and fixed it here: https://github.com/ActiveState/ipaddress. Obviously not ideal as it would be best if this project was the canonical source but the CVE has been addressed.

@frenzymadness
Copy link
Author

@zoofood Thanks for the info. I can also maintain this patch downstream (on RPM level) but I'd rather fix this project.

@frenzymadness
Copy link
Author

A PR with an update to the CPython 3.8 is available at #60

@mogul
Copy link

mogul commented May 12, 2021

Is this going to be merged? Is there anything we can do to help that happen soon?

@seymoneg
Copy link

seymoneg commented Dec 2, 2024

Hi @phihag, I've opened an issue here #66, but if you could please merge this PR it would be greatly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface
7 participants