NotificationsYou must be signed in to change notification settings
Fork32k
Star67.2k

gh-134062: Fix hash collisions in IPv4Network and IPv6Network#134063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

gpshead merged 2 commits intopython:mainfrommssalvatore:fix-network-hash-collisions

May 22, 2025

Merged

gh-134062: Fix hash collisions in IPv4Network and IPv6Network#134063

gpshead merged 2 commits intopython:mainfrommssalvatore:fix-network-hash-collisions

May 22, 2025

Conversation

Copy link

Contributor

mssalvatore commentedMay 15, 2025•
edited by bedevere-appbot
Loading

Issue:Excessive hash collisions in IPv4Network and IPv6Network classes #134062

bedevere-appbot mentioned this pull request

May 15, 2025

Excessive hash collisions in IPv4Network and IPv6Network classes#134062

Open

mssalvatore marked this pull request as ready for review

May 15, 2025 18:49

bedevere-appbot added the awaiting review label

May 15, 2025

picnixz reviewed

May 15, 2025

View reviewed changes

Misc/NEWS.d/next/Library/2025-05-15-14-27-01.gh-issue-134062.fRbJet.rst OutdatedShow resolvedHide resolved

picnixz reviewed

May 15, 2025

View reviewed changes

Copy link

Member

picnixz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Ideally, a regression test would be good buthash() is an implementation detail, making it CPython-only (I don't know how PyPy and co implement it), and if we don't already have a test for the similar issue you found, there's no need for one.

picnixz added needs backport to 3.13

bugs and security fixes

needs backport to 3.14bugs and security fixes labels

May 15, 2025

Copy link

ContributorAuthor

mssalvatore commentedMay 16, 2025

Ideally, a regression test would be good buthash() is an implementation detail, making it CPython-only (I don't know how PyPy and co implement it), and if we don't already have a test for the similar issue you found, there's no need for one.

I can add a regression test.

Copy link

Member

picnixz commentedMay 16, 2025

I can add a regression test.

Let's add a test where we manually craft the values that are hashed. I'm however unsure whetherhash((X, Y)) where X and Y are known to be ints is always stable. For strings and bytes, this is not the case due to security reasons, but for ints, Ithink it's stable but I cannot say for sure that it's the case.

If there wasn't a test introduced for the previous CVE, just don't bother with a test.

mssalvatore force-pushed thefix-network-hash-collisions branch fromeeabe2a to264bf69Compare

May 16, 2025 14:08

Copy link

ContributorAuthor

mssalvatore commentedMay 16, 2025

If there wasn't a test introduced for the previous CVE, just don't bother with a test.

These tests were introduced for the previous CVE:

cpython/Lib/test/test_ipaddress.py

Lines 2753 to 2763 in62f66ca

	# issue41004 Hash collisions in IPv4Interface and IPv6Interface
	deftestV4HashIsNotConstant(self):
	ipv4_address1=ipaddress.IPv4Interface("1.2.3.4")
	ipv4_address2=ipaddress.IPv4Interface("2.3.4.5")
	self.assertNotEqual(ipv4_address1.__hash__(),ipv4_address2.__hash__())

	# issue41004 Hash collisions in IPv4Interface and IPv6Interface
	deftestV6HashIsNotConstant(self):
	ipv6_address1=ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
	ipv6_address2=ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
	self.assertNotEqual(ipv6_address1.__hash__(),ipv6_address2.__hash__())