xemdetia / cityhash

Automatically exported from code.google.com/p/cityhash
MIT License
0 stars 0 forks source link

CVE-2012-6051 #10

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
From http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6051

> Google CityHash computes hash values without properly restricting the 
> ability to trigger hash collisions predictably, which allows context-
> dependent attackers to cause a denial of service (CPU consumption) via 
> crafted input to an application that maintains a hash table, as 
> demonstrated by a universal multicollision attack.

Given that the NEWS file does not mention this, is v1.1.0 affected?

Original issue reported on code.google.com by Al3xBio on 3 Dec 2012 at 10:40

GoogleCodeExporter commented 9 years ago
CityHash was not designed to be universal or near-universal.  In this regard it 
is like Murmur, Spooky, and most other hash functions that people typically 
use.  If you are concerned about attackers causing hash collisions you should 
select a near-universal hash (e.g., VHASH) or you should avoid data structures 
and algorithms that cause unacceptable behavior when there are a large number 
of hash collisions.

Original comment by gp...@google.com on 20 Jun 2013 at 10:12