gh-134062: Fix hash collisions in IPv4Network and IPv6Network

[mssalvatore]

• Issue: Excessive hash collisions in IPv4Network and IPv6Network classes #134062

[picnixz]

Ideally, a regression test would be good but hash() is an implementation detail, making it CPython-only (I don't know how PyPy and co implement it), and if we don't already have a test for the similar issue you found, there's no need for one.

[mssalvatore]

Ideally, a regression test would be good but hash() is an implementation detail, making it CPython-only (I don't know how PyPy and co implement it), and if we don't already have a test for the similar issue you found, there's no need for one.

I can add a regression test.

[picnixz]

I can add a regression test.

Let's add a test where we manually craft the values that are hashed. I'm however unsure whether hash((X, Y)) where X and Y are known to be ints is always stable. For strings and bytes, this is not the case due to security reasons, but for ints, I think it's stable but I cannot say for sure that it's the case.

If there wasn't a test introduced for the previous CVE, just don't bother with a test.

[mssalvatore]

If there wasn't a test introduced for the previous CVE, just don't bother with a test.

These tests were introduced for the previous CVE:

cpython/Lib/test/test_ipaddress.py

Lines 2753 to 2763 in 62f66ca

	# issue41004 Hash collisions in IPv4Interface and IPv6Interface
	def testV4HashIsNotConstant(self):
	ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4")
	ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5")
	self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__())
	# issue41004 Hash collisions in IPv4Interface and IPv6Interface
	def testV6HashIsNotConstant(self):
	ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1")
	ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2")
	self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__())

I added some tests in a separate commit. Feel free to drop it if you don't think the tests are valuable.

[bedevere-bot]

🤖 New build scheduled with the buildbot fleet by @gpshead for commit 492c579 🤖

Results will be shown at:

https://buildbot.python.org/all/#/grid?branch=refs%2Fpull%2F134063%2Fmerge

If you want to schedule another build, you need to add the 🔨 test-with-buildbots label again.

[miss-islington-app]

Thanks @mssalvatore for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9, 3.10, 3.11, 3.12, 3.13, 3.14.
🐍🍒⛏🤖

[bedevere-app]

GH-134476 is a backport of this pull request to the 3.14 branch.

[bedevere-app]

GH-134477 is a backport of this pull request to the 3.13 branch.

[bedevere-app]

GH-134478 is a backport of this pull request to the 3.12 branch.

[bedevere-app]

GH-134479 is a backport of this pull request to the 3.11 branch.

[bedevere-app]

GH-134480 is a backport of this pull request to the 3.10 branch.

[bedevere-app]

GH-134481 is a backport of this pull request to the 3.9 branch.