Bugzilla – Bug 945842
VUL-1: CVE-2015-5276 gcc: Predictable randomness from std::random_device
Last modified: 2017-09-07 22:37:27 UTC
rh#1262846 It was discovered that the std::random_device class in libstdc++ would not properly detect short reads and could return return predictable values if applications used it to obtain randomness from a blocking source such as /dev/random. References: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65142 https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=227687 (upstream commit) https://bugzilla.redhat.com/show_bug.cgi?id=1262846 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5276 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5276
Note the upstream fix isn't complete/correct, waiting for sth better to appear.
bugbot adjusting priority
(In reply to Richard Biener from comment #1) > Note the upstream fix isn't complete/correct, waiting for sth better to > appear. A second commit appeared: https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=227687 https://gcc.gnu.org/viewcvs/gcc?view=revision&revision=227872 ( https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65142#c11 ) Does that cover the issue?
I've asked for confirmation (and backport). A pending update would needs to cover the system C++ runtime which is the one from GCC 5 on SLE11 SP4 + Updates (soon) and SLE12 + Updates. SLE11 SP3 + Update will have GCC 4.8 (soon). Remaining is LTSS SLE11 where some customers have the 4.8 runtime and some the original one.
This is an autogenerated message for OBS integration: This bug (945842) was mentioned in https://build.opensuse.org/request/show/337212 Factory / gcc5
SUSE-SU-2015:1833-1: An update that solves one vulnerability and has four fixes is now available. Category: security (moderate) Bug References: 945842,947772,947791,948168,949000 CVE References: CVE-2015-5276 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): libgcj48-4.8.5-24.1 SUSE Linux Enterprise Software Development Kit 12 (src): gcc48-4.8.5-24.1, libffi48-4.8.5-24.1, libgcj48-4.8.5-24.1 SUSE Linux Enterprise Server 12 (src): gcc48-4.8.5-24.1, libffi48-4.8.5-24.1 SUSE Linux Enterprise Desktop 12 (src): gcc48-4.8.5-24.1, libgcj48-4.8.5-24.1
openSUSE-SU-2015:1946-1: An update that solves one vulnerability and has four fixes is now available. Category: security (moderate) Bug References: 945842,947772,947791,948168,949000 CVE References: CVE-2015-5276 Sources used: openSUSE Leap 42.1 (src): cross-aarch64-gcc48-icecream-backend-4.8.5-18.2, cross-armv6hl-gcc48-icecream-backend-4.8.5-18.2, cross-armv7hl-gcc48-icecream-backend-4.8.5-18.2, cross-hppa-gcc48-icecream-backend-4.8.5-18.2, cross-i386-gcc48-icecream-backend-4.8.5-18.2, cross-ia64-gcc48-icecream-backend-4.8.5-18.2, cross-ppc-gcc48-icecream-backend-4.8.5-18.2, cross-ppc64-gcc48-icecream-backend-4.8.5-18.2, cross-ppc64le-gcc48-icecream-backend-4.8.5-18.2, cross-s390-gcc48-icecream-backend-4.8.5-18.2, cross-s390x-gcc48-icecream-backend-4.8.5-18.2, gcc48-4.8.5-18.1, gcc48-testresults-4.8.5-18.3, gdb-7.9.1-7.1, libffi48-4.8.5-18.1, libgcj48-4.8.5-18.1
Richi, can you provide a small testprogram that runs the code so we can verify it is fixed? (if it prints numbers and we can see different behaviuour before/after this would be ok.)
There is no way to do a small test program. #include <iostream> #include <string> #include <map> #include <random> #include <cstdlib> int main(int argc, char **argv) { if (argc < 3) return 1; std::random_device rd (argv[1]); std::map<int, int> hist; int num = std::atoi(argv[2]); for(int n=0; n<num; ++n) ++hist[rd()%10]; for(auto p : hist) std::cout << p.first << " : " << std::string(p.second/(num < 100 ? 1 : num / 100), '*') << '\n'; } if you call that with /dev/random 1000 and make the program interrupt itself reliably during each rd() call then you'd see a non-even distribution. But of course after the fix you simply see a not handled exception. The question is how to reliably get the test program interrupted. Eventually it is enough for you to see the unhandled exception? Anyway, a simple alarm() doesn't work: read(3, "\22\374\325\336", 4) = 4 read(3, 0x7ffd6a98aebc, 4) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} --- rt_sigreturn() = 0 read(3, "C<\17\4", 4) = 4 it looks like all fopen files are opened blocking and read is always restartable? at least the reads from /dev/random block reliably...
One could establish the signal handler for SIGALRM via sigaction(2) without the SA_RESTART flag. Then read() should return with -1 with EINTR. But I don't see how this can be relieably tested. Throwing signals in quick succession maybe, and then measuring the histogram for skew.
i was hoping for something simpler. then we will probably not verify the fix currently and trust upstream fixed it correctly.
SUSE-SU-2016:0908-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 939460,945842,953831,955382,962765,964468,966220,968771 CVE References: CVE-2015-5276 Sources used: SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc5-5.3.1+r233831-10.1, libffi-gcc5-5.3.1+r233831-10.1 Product List: SUSE Linux Enterprise Debuginfo 11-SP4
SUSE-SU-2016:0908-2: An update that solves one vulnerability and has 7 fixes is now available. Category: security (moderate) Bug References: 939460,945842,953831,955382,962765,964468,966220,968771 CVE References: CVE-2015-5276 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc5-5.3.1+r233831-10.1, libffi-gcc5-5.3.1+r233831-10.1 SUSE Linux Enterprise Server 11-SP4 (src): gcc5-5.3.1+r233831-10.1, libffi-gcc5-5.3.1+r233831-10.1 SUSE Linux Enterprise Desktop 11-SP4 (src): gcc5-5.3.1+r233831-10.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc5-5.3.1+r233831-10.1, libffi-gcc5-5.3.1+r233831-10.1 Product List: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Server 11-SP4 SUSE Linux Enterprise Desktop 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4
Fixed where C++11 is supported.
SUSE-SU-2016:0963-1: An update that solves one vulnerability and has 9 fixes is now available. Category: security (moderate) Bug References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771 CVE References: CVE-2015-5276 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gcc5-5.3.1+r233831-9.1 SUSE Linux Enterprise Server 12-SP1 (src): gcc5-5.3.1+r233831-9.1, libffi-gcc5-5.3.1+r233831-9.1 SUSE Linux Enterprise Server 12 (src): gcc5-5.3.1+r233831-9.1, libffi-gcc5-5.3.1+r233831-9.1 SUSE Linux Enterprise Module for Toolchain 12 (src): gcc5-5.3.1+r233831-9.1, libffi-gcc5-5.3.1+r233831-9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): gcc5-5.3.1+r233831-9.1, libffi-gcc5-5.3.1+r233831-9.1 SUSE Linux Enterprise Desktop 12 (src): gcc5-5.3.1+r233831-9.1, libffi-gcc5-5.3.1+r233831-9.1
openSUSE-SU-2016:1069-1: An update that solves one vulnerability and has 9 fixes is now available. Category: security (moderate) Bug References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771 CVE References: CVE-2015-5276 Sources used: openSUSE Leap 42.1 (src): gcc5-5.3.1+r233831-6.1, gcc5-testresults-5.3.1+r233831-6.2, libffi-gcc5-5.3.1+r233831-6.1
SUSE-SU-2017:0379-1: An update that solves one vulnerability and has 21 fixes is now available. Category: security (moderate) Bug References: 1011348,889990,899871,917169,919274,922534,924525,924687,930176,934689,945842,947772,947791,948168,949000,951644,955382,970009,976627,977654,981311,988274 CVE References: CVE-2015-5276 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gcc48-4.8.5-4.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gcc48-4.8.5-4.2
SUSE-SU-2017:2235-1: An update that fixes 51 vulnerabilities is now available. Category: security (important) Bug References: 1025108,1031485,1035082,1043960,930392,930496,935510,939460,945842,953831,954002,955382,962765,964468,966220,968771 CVE References: CVE-2015-5276,CVE-2016-10196,CVE-2017-5429,CVE-2017-5430,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5449,CVE-2017-5451,CVE-2017-5454,CVE-2017-5455,CVE-2017-5456,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5466,CVE-2017-5467,CVE-2017-5469,CVE-2017-5470,CVE-2017-5472,CVE-2017-7749,CVE-2017-7750,CVE-2017-7751,CVE-2017-7752,CVE-2017-7754,CVE-2017-7755,CVE-2017-7756,CVE-2017-7757,CVE-2017-7758,CVE-2017-7761,CVE-2017-7763,CVE-2017-7764,CVE-2017-7765,CVE-2017-7768,CVE-2017-7778 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): MozillaFirefox-52.2.0esr-72.5.2, mozilla-nss-3.29.5-47.3.2 SUSE Linux Enterprise Server 11-SP4 (src): MozillaFirefox-52.2.0esr-72.5.2, MozillaFirefox-branding-SLED-52-24.3.44, firefox-gcc5-5.3.1+r233831-7.1, firefox-libffi-gcc5-5.3.1+r233831-7.1, mozilla-nss-3.29.5-47.3.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): MozillaFirefox-52.2.0esr-72.5.2, MozillaFirefox-branding-SLED-52-24.3.44, firefox-gcc5-5.3.1+r233831-7.1, firefox-libffi-gcc5-5.3.1+r233831-7.1, mozilla-nss-3.29.5-47.3.2 SUSE Linux Enterprise Point of Sale 11-SP3 (src): MozillaFirefox-52.2.0esr-72.5.2, MozillaFirefox-branding-SLED-52-24.3.44, firefox-gcc5-5.3.1+r233831-7.1, firefox-libffi-gcc5-5.3.1+r233831-7.1, mozilla-nss-3.29.5-47.3.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): MozillaFirefox-52.2.0esr-72.5.2, mozilla-nss-3.29.5-47.3.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): MozillaFirefox-52.2.0esr-72.5.2, firefox-gcc5-5.3.1+r233831-7.1, firefox-libffi-gcc5-5.3.1+r233831-7.1, mozilla-nss-3.29.5-47.3.2