|author||Giuseppe D'Angelo <firstname.lastname@example.org>||2012-03-24 08:50:02 +0000|
|committer||Qt by Nokia <email@example.com>||2012-04-04 13:02:58 +0200|
QHash security fix (1.5/2): qHash two arguments overload support
Algorithmic complexity attacks against hash tables have been known since 2003 (cf. [1, 2]), and they have been left unpatched for years until the 2011 attacks  against many libraries / (reference) implementations of programming languages. This patch adds a qHash overload taking two arguments: the value to be hashed, and a uint to be used as a seed for the hash function itself (support the global QHash seed was added in a previous patch). The seed itself is not used just yet; instead, 0 is passed. Compatibility with the one-argument qHash(T) implementation is kept through a catch-all template.  http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf  http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks  http://www.ocert.org/advisories/ocert-2011-003.html Task-number: QTBUG-23529 Change-Id: I1d0a84899476d134db455418c8043a349a7e5317 Reviewed-by: João Abecasis <firstname.lastname@example.org>
Diffstat (limited to 'dist')
1 files changed, 4 insertions, 0 deletions
diff --git a/dist/changes-5.0.0 b/dist/changes-5.0.0
index 1258792029..cfb83a4093 100644
@@ -346,6 +346,10 @@ QtCore
* QEvent::AccessibilityPrepare, AccessibilityHelp and AccessibilityDescription removed:
* The enum values simply didn't make sense in the first place and should simply be dropped.
+* [QTBUG-23529] QHash is now more resilient to a family of denial of service
+ attacks exploiting algorithmic complexity, by supporting two-arguments overloads
+ of the qHash() hashing function.
* Accessibility has been refactored. The hierachy of accessible objects is implemented via