Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in gcc-4.8

Do your applications use this vulnerable package? Test your applications

Overview

Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.

References

Debian Security Tracker
OSS security Advisory
RHSA Security Advisory
Security Focus
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html

Attack Vector

Local
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

None
Availability

None

CVE: CVE-2017-11671
CWE: CWE-338
Snyk ID: SNYK-DEBIAN8-GCC48-309214
Disclosed: 26 Jul, 2017
Published: 26 Jul, 2017

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Affecting gcc-4.8 package, versions *

Overview

References

CVSS Score

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Affecting gcc-4.8 package, versions *

Overview

References

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Affecting gcc-4.8 package, versions *