From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Tapas Kundu <39723251+tapakund@users.noreply.github.com>

Date: Wed, 1 Jul 2020 01:00:22 +0530

Subject: [PATCH] 00352: Resolve hash collisions for IPv4Interface and

 IPv6Interface

CVE-2020-14422

The hash() methods of classes IPv4Interface and IPv6Interface had issue

of generating constant hash values of 32 and 128 respectively causing hash collisions.

The fix uses the hash() function to generate hash values for the objects

instead of XOR operation.

Fixed upstream: https://bugs.python.org/issue41004

---

 Lib/ipaddress.py                                      |  4 ++--

 Lib/test/test_ipaddress.py                            | 11 +++++++++++

 .../Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst |  1 +

 3 files changed, 14 insertions(+), 2 deletions(-)

 create mode 100644 Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst

diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py

index 583f02ad54..98492136ca 100644

--- a/Lib/ipaddress.py

+++ b/Lib/ipaddress.py

@@ -1418,7 +1418,7 @@ class IPv4Interface(IPv4Address):

             return False

     def __hash__(self):

-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)

+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))

     __reduce__ = _IPAddressBase.__reduce__

@@ -2092,7 +2092,7 @@ class IPv6Interface(IPv6Address):

             return False

     def __hash__(self):

-        return self._ip ^ self._prefixlen ^ int(self.network.network_address)

+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))

     __reduce__ = _IPAddressBase.__reduce__

diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py

index 1cef4217bc..7de444af4a 100644

--- a/Lib/test/test_ipaddress.py

+++ b/Lib/test/test_ipaddress.py

@@ -1990,6 +1990,17 @@ class IpaddrUnitTest(unittest.TestCase):

                          sixtofouraddr.sixtofour)

         self.assertFalse(bad_addr.sixtofour)

+    # issue41004 Hash collisions in IPv4Interface and IPv6Interface

+    def testV4HashIsNotConstant(self):

+        ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")

+        ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")

+        self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())

+

+    # issue41004 Hash collisions in IPv4Interface and IPv6Interface

+    def testV6HashIsNotConstant(self):

+        ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")

+        ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")

+        self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())

 if __name__ == '__main__':

     unittest.main()

diff --git a/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst

new file mode 100644

index 0000000000..f5a9db52ff

--- /dev/null

+++ b/Misc/NEWS.d/next/Security/2020-06-29-16-02-29.bpo-41004.ovF0KZ.rst

@@ -0,0 +1 @@

+CVE-2020-14422: The __hash__() methods of  ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).