ipaddress icon indicating copy to clipboard operation
ipaddress copied to clipboard

Published 20 hours ago verified publisher icon phihag

[CVE-2020-14422] Resolve hash collisions for IPv4Interface and IPv6Interface

Open frenzymadness opened this issue 3 years ago • 10 comments

The hash() methods of classes IPv4Interface and IPv6Interface had issue of generating constant hash values of 32 and 128 respectively causing hash collisions. The fix uses the hash() function to generate hash values for the objects instead of XOR operation

Fixes: https://github.com/phihag/ipaddress/issues/55

Backported from: https://github.com/python/cpython/pull/21221/commits/bd32b1fc950e6633d237855ceddd84ea83904238

Ir you prefert to wait for the next Python 3.8 release, please let me know.

frenzymadness avatar Aug 03 '20 10:08 frenzymadness

Sorry that it took so long, but I'm currently working on updating to the current cpython version of ipaddress. Unfortunately, there's a high number of merge conflicts. I'll look at them, and if I don't get it done soon, will merge this quickfix.

phihag avatar Aug 03 '20 10:08 phihag

No worries. I've also made a mistake because this commit is not marked as released on Github but it actually is released in 3.8.4.

So, update to the latest cpython version should be enough or you can release just this fix if the update would take too long.

frenzymadness avatar Aug 03 '20 10:08 frenzymadness

Hi @phihag! Just a friendly note that I too would like to see this issue resolved. If there is anything I can do to help it along, let me know!

zoofood avatar Sep 22 '20 00:09 zoofood

Hello. Could we please move this forward? We can either help you to update the package to the latest cpython version or you can just merge and release this fix. After all, it's a moderate severity CVE and this package is a dependency of many very popular libraries.

frenzymadness avatar Oct 08 '20 04:10 frenzymadness

Hi! Can you make a release with this fix?

shadchin avatar Nov 01 '20 09:11 shadchin

I'm gonna try to update this package from the upstream Python. If you want to help, follow my progress in #59

frenzymadness avatar Nov 18 '20 13:11 frenzymadness

@frenzymadness @shadchin We (ActiveState) forked it and fixed it here: https://github.com/ActiveState/ipaddress. Obviously not ideal as it would be best if this project was the canonical source but the CVE has been addressed.

zoofood avatar Nov 18 '20 17:11 zoofood

@zoofood Thanks for the info. I can also maintain this patch downstream (on RPM level) but I'd rather fix this project.

frenzymadness avatar Nov 19 '20 07:11 frenzymadness

A PR with an update to the CPython 3.8 is available at #60

frenzymadness avatar Nov 20 '20 14:11 frenzymadness

Is this going to be merged? Is there anything we can do to help that happen soon?

mogul avatar May 12 '21 17:05 mogul