Re^2: Patch an old Perl version

While I generally agree with your gist here I feel compelled to point out that with regard to CVE-2013-1667 point 4 is plain wrong, and that 5, while attempting to make a valid point contains inaccuracies and appears to be based on the mistaken understanding that CVE-2013-1667 is a normal hash collision attack.

Point 4 is plain wrong because a successful attack requires much less keys than you realize. I feel obliged to be coy about how many but rest assured the number is small enough to be a real threat.

Point 5 contains a valid point that this attack is probably of concern only to business scale installations. However the rest of the points it makes are at best applicable to a standard hash collision attack but do not apply to the REHASH attack at all. Specifically, the REHASH attack is *proven*, (or there would be no one-line test for it), requires no probing, and far from being "almost impossible" is actually trivial execute. To attack various web platforms one would simply construct an URL containing the right keys as parameters to the request, and since the proof of concept attack requires only chars in "a-z" doing this is trivial.

Anyway, with regard to true hash collision attack I generally agree with your line of thinking in this post, and indeed my paper on it said more or less the same thing. But the REHASH attack is in a different category, and should not be confused with a classical hash collision attack.

---
$world=~s/war/peace/g

Comment on Re^2: Patch an old Perl version

Replies are listed 'Best First'.
Re^3: Patch an old Perl version by BrowserUk (Patriarch) on Nov 10, 2013 at 12:26 UTC
Specifically, the REHASH attack is proven, (or there would be no one-line test for it) Sorry n'all, but that is rubbish. All your one liner demonstrates is: does this perl contain that change/patch? Nothing -- literally nothing -- more. It in no way makes any attempt to demonstrate why the patch might be needed. It simple demonstrates that something is different; without giving any indication of how -- or even whether -- the changed behaviour is an improvement in some way. , requires no probing, and far from being "almost impossible" is actually trivial execute. Again. A bland statement unsubstantiated by your post; your paper; the text of CVE-2013-1667; or anything else that you've have said publicly on the subject(). To attack various web platforms one would simply construct an URL containing the right keys as parameters to the request, and since the proof of concept attack requires only chars in "a-z" doing this is trivial. Again. This is so trivialised a scenario as to be meaningless. A whole bunch of reasoning deleted; let's cut to the chase ...* So, if I send you a url of a perl script running on my machine under an unpatched version of Perl; you'll make it crash in short order? *that I've been able to find. After months of looking! With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice.	[reply]
Re^4: Patch an old Perl version by demerphq (Chancellor) on Nov 10, 2013 at 23:18 UTC
Sorry, but I do not believe it is responsible to reveal the attack key set at this time. Everybody on the perl5-security list has seen the full attack set and can confirm what I say about it. The fact they rolled security releases for all the major versions should be sufficient proof. --- $world=~s/war/peace/g	[reply]
Re^5: Patch an old Perl version by BrowserUk (Patriarch) on Nov 10, 2013 at 23:31 UTC
I do not believe it is responsible to reveal the attack key set at this time. If you attack a url on my machine; I'm the only one who could see the key set. You're accusing me of being a risk. With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice.	[reply]
Re^6: Patch an old Perl version by Discipulus (Canon) on Nov 11, 2013 at 09:02 UTC
Re^7: Patch an old Perl version by BrowserUk (Patriarch) on Nov 11, 2013 at 16:19 UTC
Some notes below your chosen depth have not been shown here
Re^4: Patch an old Perl version by rjbs (Pilgrim) on Nov 12, 2013 at 17:47 UTC
The attack is real and proven. I've let it crash my machine in a realistic simulation of the real world. Please patch your world-facing perls. rjbs	[reply]
Re^5: Patch an old Perl version by BrowserUk (Patriarch) on Nov 12, 2013 at 17:56 UTC
The attack is real and proven. First: prove it! But, even if that does happen, to what consequence? The instance of perl running the cgi script in response to the attacker's request, self terminates. Meaning the attack is over. The web-server continues to run; new instances of perl are run to handle everyone else's requests. The total damage done is EXACTLY ZERO. Nada. Zilch. No DoS; No DDos; No affect on other users; nor the web-site; nor anything permanent. The attacker's session end's immediately. Big deal? With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday' Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice.	[reply]
Re^6: Patch an old Perl version by demerphq (Chancellor) on Nov 15, 2013 at 12:12 UTC
Re^7: Patch an old Perl version by BrowserUk (Patriarch) on Nov 15, 2013 at 14:58 UTC


Perl-Sensitive Sunglasses
	PerlMonks