Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249398 (CVE-2008-5162) - sys-freebsd/freebsd-sources-6.3 arc4random improper entropy source (CVE-2008-5162)
Summary: sys-freebsd/freebsd-sources-6.3 arc4random improper entropy source (CVE-2008-...
Status: RESOLVED FIXED
Alias: CVE-2008-5162
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo/BSD Team
URL: http://security.freebsd.org/advisorie...
Whiteboard: ~4 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-30 15:45 UTC by Stefan Behte (RETIRED)
Modified: 2009-01-08 19:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 15:45:26 UTC 
CVE-2008-5162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5162):
  The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does
  not have a proper entropy source for a short time period immediately
  after boot, which makes it easier for attackers to predict the
  function's return values and conduct certain attacks against the GEOM
  framework and various network protocols, related to the Yarrow random
  number generator.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-30 15:48:21 UTC 
http://www.gentoo.org/security/en/vulnerability-policy.xml does not list BSD, still I thought it would be ok to let bsd know this. I looked at the code, seems 6.2 also needs the patch.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-04 02:39:45 UTC 
According to the Gentoo Linux Vulnerability Treatment Policy, we're not handling freebsd bugs, closing.
Comment 3 Alexis Ballier gentoo-dev 2009-01-04 13:39:26 UTC 
(In reply to comment #2)
> According to the Gentoo Linux Vulnerability Treatment Policy, we're not
> handling freebsd bugs, closing.


still that's not fixed...
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-04 16:22:31 UTC 
Sorry, I handled this wrong. It needs to be fixed, too, of course.
Comment 5 Alexis Ballier gentoo-dev 2009-01-08 18:36:56 UTC 
fixed now in sources-6.2-r5
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-08 19:13:27 UTC 
Thanks!