Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

gh-134062: Fix hash collisions in IPv4Network and IPv6Network #134063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
Loading
from
Open

gh-134062: Fix hash collisions in IPv4Network and IPv6Network #134063

wants to merge 2 commits into from
+32 −1

Conversation

mssalvatore
Copy link

@mssalvatore mssalvatore commented May 15, 2025
edited by bedevere-app bot
Loading

@bedevere-app bedevere-app bot mentioned this pull request May 15, 2025
Open
@mssalvatore mssalvatore marked this pull request as ready for review May 15, 2025 18:49
picnixz
picnixz reviewed May 15, 2025
View reviewed changes
Copy link
Member

@picnixz picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally, a regression test would be good but hash() is an implementation detail, making it CPython-only (I don't know how PyPy and co implement it), and if we don't already have a test for the similar issue you found, there's no need for one.

@picnixz picnixz added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels May 15, 2025
@mssalvatore
Copy link
Author

Ideally, a regression test would be good but hash() is an implementation detail, making it CPython-only (I don't know how PyPy and co implement it), and if we don't already have a test for the similar issue you found, there's no need for one.

I can add a regression test.

@picnixz
Copy link
Member

picnixz commented May 16, 2025

I can add a regression test.

Let's add a test where we manually craft the values that are hashed. I'm however unsure whether hash((X, Y)) where X and Y are known to be ints is always stable. For strings and bytes, this is not the case due to security reasons, but for ints, I think it's stable but I cannot say for sure that it's the case.

If there wasn't a test introduced for the previous CVE, just don't bother with a test.

@mssalvatore mssalvatore force-pushed the fix-network-hash-collisions branch from eeabe2a to 264bf69 Compare May 16, 2025 14:08
@mssalvatore
Copy link
Author

If there wasn't a test introduced for the previous CVE, just don't bother with a test.

These tests were introduced for the previous CVE:

cpython/Lib/test/test_ipaddress.py

Lines 2753 to 2763 in 62f66ca

# issue41004 Hash collisions in IPv4Interface and IPv6Interface
def testV4HashIsNotConstant(self):
ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
# issue41004 Hash collisions in IPv4Interface and IPv6Interface
def testV6HashIsNotConstant(self):
ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())

I added some tests in a separate commit. Feel free to drop it if you don't think the tests are valuable.

@mssalvatore mssalvatore force-pushed the fix-network-hash-collisions branch from 264bf69 to 492c579 Compare May 16, 2025 14:12
@gpshead gpshead added the type-security A security issue label May 17, 2025
@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes 🔨 test-with-buildbots Test PR w/ buildbots; report in status section labels May 17, 2025
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @gpshead for commit 492c579 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F134063%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label May 17, 2025
@gpshead gpshead self-assigned this May 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@picnixz picnixz picnixz left review comments

@gpshead gpshead gpshead approved these changes

Assignees

@gpshead gpshead

Labels
awaiting merge needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mssalvatore @picnixz @bedevere-bot @gpshead
Morty Proxy This is a proxified and sanitized view of the page, visit original site.