CVE-2012-6051

[GoogleCodeExporter]

From http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6051

> Google CityHash computes hash values without properly restricting the 
> ability to trigger hash collisions predictably, which allows context-
> dependent attackers to cause a denial of service (CPU consumption) via 
> crafted input to an application that maintains a hash table, as 
> demonstrated by a universal multicollision attack.

Given that the NEWS file does not mention this, is v1.1.0 affected?

Original issue reported on code.google.com by Al3xBio on 3 Dec 2012 at 10:40

[GoogleCodeExporter]

CityHash was not designed to be universal or near-universal.  In this regard it 
is like Murmur, Spooky, and most other hash functions that people typically 
use.  If you are concerned about attackers causing hash collisions you should 
select a near-universal hash (e.g., VHASH) or you should avoid data structures 
and algorithms that cause unacceptable behavior when there are a large number 
of hash collisions.

Original comment by gp...@google.com on 20 Jun 2013 at 10:12

• Changed state: WontFix
• Added labels: ****
• Removed labels: ****