Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 200959 (CVE-2007-6150) - sys-freebsd/freebsd-sources Random value disclosure (CVE-2007-6150)
Summary: sys-freebsd/freebsd-sources Random value disclosure (CVE-2007-6150)
Status: RESOLVED FIXED
Alias: CVE-2007-6150
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://security.freebsd.org/advisorie...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-01 21:47 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-17 20:36 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-01 21:47:09 UTC 
CVE-2007-6150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6150):
  The "internal state tracking" code for the random and urandom devices in
  FreeBSD 5.5, 6.1 through 6.3, and 7.0 beta 4 allows local users to obtain
  portions of previously-accessed random values, which could be leveraged to
  bypass protection mechanisms that rely on secrecy of those values.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-01 21:48:11 UTC 
BSD herd, please advise.
Comment 2 Roy Marples (RETIRED) gentoo-dev 2007-12-04 22:42:52 UTC 
Patch is trivial and should be applied. However it's probably not that essential as it does require local access.
Comment 3 Alexis Ballier gentoo-dev 2008-05-17 19:55:00 UTC 
6.2-r4 has the patch

funnily enough, we all know these days how having good source of randomness is important ;)
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-17 20:36:13 UTC 
Thanks, closing. Also, don't forget to remove vulnerable versions.