Bug#655044: glib2.0: ghashtable vulnerable to oCert-2011-003 DOS attacks
John Lightsey
lightsey at debian.org
Sun Jan 8 04:54:07 UTC 2012
On 01/07/2012 10:34 PM, Michael Biebl wrote:
> On 08.01.2012 02:28, John Lightsey wrote:
> This discussion is from 2003 and had no real conclusion.
> Have you checked if the current code base is still vulnerable?
Yes, I looked at their upstream repo and it appears to me that the
standard hashing functions still have this problem.
guint
g_str_hash (gconstpointer v)
{
const signed char *p;
guint32 h = 5381;
for (p = v; *p != '\0'; p++)
h = (h << 5) + h + *p;
return h;
}
This is a harder to reverse than the standard "h = h * 33 + *p", but the
collisions are predictable.
The hash functions for int64 and double just truncate the keys.
More information about the pkg-gnome-maintainers
mailing list