Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251463 (CVE-2008-5659) - <dev-java/gnu-classpath-0.98-r1: gnu.java.security.util.PRNG produces easily predictable values (CVE-2008-5659)
Summary: <dev-java/gnu-classpath-0.98-r1: gnu.java.security.util.PRNG produces easily ...
Status: RESOLVED FIXED
Alias: CVE-2008-5659
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://gcc.gnu.org/bugzilla/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 296215
Blocks:
  Show dependency tree
 
Reported: 2008-12-18 12:18 UTC by Robert Buchholz (RETIRED)
Modified: 2012-09-20 23:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 12:18:53 UTC
Florian Weimer wrote:
The random number generator in the gnu.java.security.util.PRNG class
of GNU Classpath version 0.97.2 and earlier produces only a limited
number of distinct byte streams, which may lead to guessable
cryptographic key material and similar vulnerabilities.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:33:07 UTC
CVE-2008-5659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5659):
  The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
  earlier uses a predictable seed based on the system time, which makes
  it easier for context-dependent attackers to conduct brute force
  attacks against cryptographic routines that use this class for
  randomness, as demonstrated against DSA private keys.

Comment 2 Ralph Sennhauser (RETIRED) gentoo-dev 2012-09-20 08:31:20 UTC
This was fixed in 0.98, the only ebuild in tree is gnu-classpath-0.98-r3. Please proceed, thanks.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-20 12:29:37 UTC
Wow. Stabilization was completed 2+ years ago in bug 296215. 

GLSA vote: no.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:32:33 UTC
GLSA Vote: no too. Closing.