Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 200959 (CVE-2007-6150)

Summary: sys-freebsd/freebsd-sources Random value disclosure (CVE-2007-6150)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: bsd+disabled, uberlord
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://security.freebsd.org/advisories/FreeBSD-SA-07:09.random.asc
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-01 21:47:09 UTC 
CVE-2007-6150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6150):
  The "internal state tracking" code for the random and urandom devices in
  FreeBSD 5.5, 6.1 through 6.3, and 7.0 beta 4 allows local users to obtain
  portions of previously-accessed random values, which could be leveraged to
  bypass protection mechanisms that rely on secrecy of those values.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-01 21:48:11 UTC 
BSD herd, please advise.
Comment 2 Roy Marples (RETIRED) gentoo-dev 2007-12-04 22:42:52 UTC 
Patch is trivial and should be applied. However it's probably not that essential as it does require local access.
Comment 3 Alexis Ballier gentoo-dev 2008-05-17 19:55:00 UTC 
6.2-r4 has the patch

funnily enough, we all know these days how having good source of randomness is important ;)
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 20:36:13 UTC 
Thanks, closing. Also, don't forget to remove vulnerable versions.