CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
70.2%
The std::random_device class in libstdc++ in the GNU Compiler Collection
(aka GCC) before 4.9.4 does not properly handle short reads from blocking
sources, which makes it easier for context-dependent attackers to predict
the random values via unspecified vectors.
Author | Note |
---|---|
tyhicks | Note that upstream revision 227687 is incomplete/incorrect. See msg01050.html for a more complete patch that is undergoing review. In gcc-4.7 through gcc-4.8, the code in question exists at libstdc+±v3/include/tr1/random.h and libstdc+±v3/include/bits/random.h In gcc-4.4, the code in question exists at libstdc+±v3/include/tr1_impl/random |
sbeattie | Note that for versions where the random_device() code in question is in a header file, means that it’s compiled into the binaries built against libstdc++, which would need to be rebuilt to get the fixed version. upstream commits (so far) are listed under gcc-snapshots package. Corresponding git commits are: 84bb4e67d45a8921cedd2ef64fe3cffd9ee72f44 8efb09c4325785a5e7d11d05c5aadc74d2a49887 fd16f36d1986fbbb9f802b3649e543f3f41227ea gcc-opt is just a wrapper around gcc, not affected |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | gcc-4.7 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.7 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.7-armel-cross | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.7-armhf-cross | < any | UNKNOWN |
ubuntu | 18.04 | noarch | gcc-4.8 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | gcc-4.8 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.8 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.8-arm64-cross | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.8-armhf-cross | < any | UNKNOWN |
ubuntu | 16.04 | noarch | gcc-4.8-powerpc-cross | < any | UNKNOWN |