386369 – (CVE-2011-2686) <dev-lang/ruby-1.8.7_p352: prng prediction (CVE-2011-{2686,2705})

Bug 386369 (CVE-2011-2686) - <dev-lang/ruby-1.8.7_p352: prng prediction (CVE-2011-{2686,2705})

Summary: <dev-lang/ruby-1.8.7_p352: prng prediction (CVE-2011-{2686,2705})

Status:	RESOLVED FIXED

Alias:	CVE-2011-2686

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-10-08 15:45 UTC by GLSAMaker/CVETool Bot
Modified:	2011-10-22 14:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 15:45:06 UTC

CVE-2011-2705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2705):
  The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before
  1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for
  initialization, which makes it easier for context-dependent attackers to
  predict the result string by leveraging knowledge of random strings obtained
  in an earlier process with the same PID.


1.8.7_p352 is in tree, is it ok to go stable?

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 15:45:51 UTC

CVE-2011-2686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2686):
  Ruby before 1.8.7-p352 does not reset the random seed upon forking, which
  makes it easier for context-dependent attackers to predict the values of
  random numbers by leveraging knowledge of the number sequence obtained in a
  different child process, a related issue to CVE-2003-0900.  NOTE: this issue
  exists because of a regression during Ruby 1.8.6 development.

Comment 2 Hans de Graaff gentoo-dev

2011-10-09 09:02:03 UTC

(In reply to comment #0)
> 
> 1.8.7_p352 is in tree, is it ok to go stable?

Should be fine. Please test and mark stable:

=dev-lang/ruby-1.8.7_p352

Comment 3 Agostino Sarubbo gentoo-dev

2011-10-09 09:51:26 UTC

amd64 ok

Comment 4 Markos Chandras (RETIRED) gentoo-dev

2011-10-09 15:27:20 UTC

amd64 done. Thanks Agostino

Comment 5 Ian Delaney (RETIRED) gentoo-dev

2011-10-09 15:38:03 UTC

better late than never

ditto

Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-10-09 17:42:56 UTC

ppc/ppc64 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2011-10-10 10:25:59 UTC

Stable for HPPA.

Comment 8 Andreas Schürch gentoo-dev

2011-10-14 08:27:30 UTC

x86 stable.

Comment 9 Markus Meier gentoo-dev

2011-10-15 22:14:59 UTC

arm stable

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2011-10-22 12:08:05 UTC

alpha/ia64/s390/sh/sparc stable

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-10-22 13:48:36 UTC

Thanks, everyone. GLSA Vote: no.

Comment 12 Alex Legler (RETIRED) archtester

2011-10-22 14:01:27 UTC

NO too. Closing.