Dave Malcolm <dmalc...@redhat.com> added the comment: On Mon, 2012-02-06 at 23:00 +0000, Marc-Andre Lemburg wrote: > Marc-Andre Lemburg <m...@egenix.com> added the comment: > > Alex Gaynor wrote: > > There's no need to cover any container types, because if their constituent > > types are securely hashable then they will be as well. And of course if > > the constituent types are unsecure then they're directly vulnerable. > > I wouldn't necessarily take that for granted: since container > types usually calculate their hash based on the hashes of their > elements, it's possible that a clever combination of elements > could lead to a neutralization of the the hash seed used by > the elements, thereby reenabling the original attack on the > unprotected interpreter. > > Still, because we have far more vulnerable hashable types out there, > trying to find such an attack doesn't really make practical > sense, so protecting containers is indeed not as urgent :-)
FWIW, I'm still awaiting review of my patches. I don't believe Marc-Andre's concerns are a sufficient rebuttal to the approach I've taken. If anyone is aware of an attack via numeric hashing that's actually possible, please let me know (privately). I believe only specific apps could be affected, and I'm not aware of any such specific apps. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13703> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
