Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 251463 (CVE-2008-5659)

Summary: <dev-java/gnu-classpath-0.98-r1: gnu.java.security.util.PRNG produces easily predictable values (CVE-2008-5659)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnu_andrew, java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 296215    
Bug Blocks:    

Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 12:18:53 UTC
Florian Weimer wrote:
The random number generator in the gnu.java.security.util.PRNG class
of GNU Classpath version 0.97.2 and earlier produces only a limited
number of distinct byte streams, which may lead to guessable
cryptographic key material and similar vulnerabilities.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:33:07 UTC
CVE-2008-5659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5659):
  The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
  earlier uses a predictable seed based on the system time, which makes
  it easier for context-dependent attackers to conduct brute force
  attacks against cryptographic routines that use this class for
  randomness, as demonstrated against DSA private keys.

Comment 2 Ralph Sennhauser (RETIRED) gentoo-dev 2012-09-20 08:31:20 UTC
This was fixed in 0.98, the only ebuild in tree is gnu-classpath-0.98-r3. Please proceed, thanks.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-20 12:29:37 UTC
Wow. Stabilization was completed 2+ years ago in bug 296215. 

GLSA vote: no.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:32:33 UTC
GLSA Vote: no too. Closing.