Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.5] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6In… #21233

Merged
merged 3 commits into from Aug 4, 2020
Merged

[3.5] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6In… #21233

merged 3 commits into from Aug 4, 2020

Conversation

@tapakund
Copy link

@tapakund tapakund commented Jun 30, 2020
edited by bedevere-bot
Loading

…terface (GH-21033)

The hash() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26)

Co-authored-by: Ravi Teja P rvteja92@gmail.com

Signed-off-by: Tapas Kundu tkundu@vmware.com

https://bugs.python.org/issue41004
@corona10
Copy link
Member

@corona10 corona10 commented Jun 30, 2020

Sorry, we only accept the security patch for 3.5-3.7.

I close this PR cc @ericvsmith

ref: https://devguide.python.org/#status-of-python-branches

Loading

@corona10 corona10 closed this Jun 30, 2020
@corona10 corona10 reopened this Jun 30, 2020
corona10
corona10 approved these changes Jun 30, 2020
View changes
Copy link
Member

@corona10 corona10 left a comment

Since this issue is reported as the CVE-2020-14422.
I am okay to merge this PR as the security issue.

But waiting for @ned-deily and @ericvsmith 's comment :)

Loading

@corona10 corona10 requested review from ericvsmith and ned-deily Jun 30, 2020
@ned-deily
Copy link
Member

@ned-deily ned-deily commented Jun 30, 2020

The decision whether to merge to 3.5 is up to the 3.5 release manager, @larryhastings.

Loading

@ned-deily
Copy link
Member

@ned-deily ned-deily commented Jun 30, 2020

As I noted on the bpo issue, I think the NEWS blurb should be updated to include the CVE.

Loading

@tapakund
[3.5] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6In…
3e632dc 
…terface (pythonGH-21033)

The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
of generating constant hash values of 32 and 128 respectively causing hash collisions.
The fix uses the hash() function to generate hash values for the objects
instead of XOR operation
(cherry picked from commit b30ee26)

Co-authored-by: Ravi Teja P <rvteja92@gmail.com>

Signed-off-by: Tapas Kundu <tkundu@vmware.com>
@ned-deily ned-deily requested review from larryhastings and removed request for ned-deily Jun 30, 2020
@tapakund
Copy link
Author

@tapakund tapakund commented Jul 2, 2020

@larryhastings Please help to review the backport to 3.5 of a security fix. Thanks!

Loading

@larryhastings larryhastings merged commit 11d258c into python:3.5 Aug 4, 2020
4 checks passed
Loading
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented Aug 4, 2020

@larryhastings: Please replace # with GH- in the commit message next time. Thanks!

Loading

@larryhastings
Copy link
Contributor

@larryhastings larryhastings commented Aug 4, 2020

Thanks for the backport! And, for the record, @ericvsmith is a great guy, but he is not nor has ever been a Python release manager.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corona10 corona10

@ericvsmith ericvsmith

@larryhastings larryhastings

Assignees
No one assigned
Labels
CLA signed type-security
Projects
None yet
Milestone
No milestone
6 participants
@tapakund @corona10 @ned-deily @bedevere-bot @larryhastings @the-knights-who-say-ni