Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611354 (CVE-2017-2626) - <x11-libs/libICE-1.0.9-r1: weak entropy usage in session keys
Summary: <x11-libs/libICE-1.0.9-r1: weak entropy usage in session keys
Status: RESOLVED FIXED
Alias: CVE-2017-2626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.x41-dsec.de/lab/advisorie...
Whiteboard: A1 [glsa cve]
Keywords:
Depends on: 611056
Blocks:
  Show dependency tree
 
Reported: 2017-03-02 00:13 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-04-10 21:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-02 00:13:22 UTC 
libICE depends on arc4random() as well to generate the session cookies, thereby falling back to the same weak mechanism as libXdmcp (bug 611352).
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-02 00:14:54 UTC 
We will have to check, most Gentoo architectures shouldn't be affected due to

> elibc_glibc? ( dev-libs/libbsd )
Comment 2 Matt Turner gentoo-dev 2017-03-02 03:26:34 UTC 
libICE-1.0.9-r1 depends on libbsd, but it is not stabilized yet. We will need to do that.
Comment 3 Matt Turner gentoo-dev 2017-03-04 16:13:24 UTC 
Stabilization will be handled in bug 611056.
Comment 4 Matt Turner gentoo-dev 2017-03-16 16:13:47 UTC 
Vulnerable versions dropped:

commit 8bd3d32950f98d616d97c0df66a841eb5c6f7f0c
Author: Matt Turner <mattst88@gentoo.org>
Date:   Thu Mar 16 09:11:52 2017 -0700

    x11-libs/libICE: Drop vulnerable versions.
    
    Bug: https://bugs.gentoo.org/611354
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-18 13:14:44 UTC 
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-04-10 21:36:17 UTC 
This issue was resolved and addressed in
 GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03
by GLSA coordinator Kristian Fiskerstrand (K_F).