Bug 626318 (CVE-2017-11671)

Summary:	<sys-devel/gcc-{5.5,6.4}: Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)
Product:	Gentoo Security	Reporter:	Christopher Díaz Riveros (RETIRED) <chrisadr>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	nobrowser, toolchain
Priority:	Normal	Keywords:	PATCH
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
Whiteboard:	A4 [noglsa]
Package list:		Runtime testing required:	---

Description Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-27 02:39:56 UTC

From URL:

Patch was posted here: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html

References:

https://nvd.nist.gov/vuln/detail/CVE-2017-11671

Comment 1 Andreas K. Hüttel archtester

2017-12-09 21:34:15 UTC

Fixed upstream in 6.4, 7.1 and later

Comment 2 Yury German Gentoo Infrastructure

2019-03-27 22:41:35 UTC

CVE ID: CVE-2017-11671
   Summary: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.

Maintainers, please advised if this is fixed in tree!

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2019-12-29 14:45:11 UTC

Yes. All non-masked versions are gcc-6.5.0 and above. All contain a fix.

Comment 4 Sam James archtester

2020-06-11 21:43:58 UTC

Clean since 2019-10-28 for gcc 4.x (it seems): https://gitweb.gentoo.org/repo/gentoo.git/commit/sys-devel/gcc?id=d9649766ab2893de8586d88215a846275615bd72

And the others were removed a while before that. So closing.