CVE-2008-2108

Publication date 7 May 2008

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Cvss 3 Severity Score

9.8 · Critical

Score breakdown

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

Status

Package Ubuntu Release Status
php5 8.04 LTS hardy
Fixed 5.2.4-2ubuntu5.3
7.10 gutsy
Fixed 5.2.3-1ubuntu6.4
7.04 feisty
Fixed 5.2.1-0ubuntu1.6
6.06 LTS dapper
Fixed 5.1.2-1ubuntu3.12

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
php5

Severity score breakdown

Parameter Value
Base score 9.8 · Critical
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references