[Python-modules-team] Bug#872285: More info about nondeterminism_added_by_pyqt5_pyrcc5
infinity0 at debian.org
Wed Aug 16 12:02:00 UTC 2017
> I'm packaging an application making use of pyrcc5 and I noticed the
> nondeterminism it adds.
> I see that this is currently description is not correct.
> You can see that pyrcc5 uses QHash, which is made to avoid algorithmic
> complexity attacks
> introducing a randomization.
> There are two possible solutions: set the environment variable
> QT_HASH_SEED to a constant value before
> pyrcc5 is called (this is my current workaround) or call qSetGlobalQHashSeed().
> I can help with the implementation if needed.
>  https://tests.reproducible-builds.org/debian/issues/unstable/nondeterminism_added_by_pyqt5_pyrcc5_issue.html
>  http://doc.qt.io/qt-5/qhash.html
It might be safer to subclass QHash into a deterministic QDetHash or something. This would allow one to use QHash both non-deterministically (to protect against DoS attacks) and deterministically in the same program, depending on the use-case.
For example, the rust compiler internally uses a deterministic hash table but offers a non-deterimistic version in its standard library, see https://github.com/rust-lang/rust/issues/34902 for details.
You are setting seed = 0 in a header file. If this is a public header file, then anyone that #includes it would lose protection against those attacks, not just pyrcc.
More information about the Python-modules-team