OpenSuSE has issued an advisory on November 10: http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html The issue is fixed upstream in 4.9.4 and 5.3, and in commits linked from the upstream bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65142 Reproducible: Steps to Reproduce:
SRPM: gcc-4.9.2-4.1.mga5.src.rpm i586: gcc-4.9.2-4.1.mga5.i586.rpm gcc-c++-4.9.2-4.1.mga5.i586.rpm gcc-cpp-4.9.2-4.1.mga5.i586.rpm gcc-doc-4.9.2-4.1.mga5.noarch.rpm gcc-doc-pdf-4.9.2-4.1.mga5.noarch.rpm gcc-gfortran-4.9.2-4.1.mga5.i586.rpm gcc-gnat-4.9.2-4.1.mga5.i586.rpm gcc-java-4.9.2-4.1.mga5.i586.rpm gcc-objc-4.9.2-4.1.mga5.i586.rpm gcc-objc++-4.9.2-4.1.mga5.i586.rpm gcc-plugins-4.9.2-4.1.mga5.i586.rpm gcj-tools-4.9.2-4.1.mga5.i586.rpm libasan1-4.9.2-4.1.mga5.i586.rpm libasan-devel-4.9.2-4.1.mga5.i586.rpm libatomic1-4.9.2-4.1.mga5.i586.rpm libatomic-devel-4.9.2-4.1.mga5.i586.rpm libcilkrts5-4.9.2-4.1.mga5.i586.rpm libcilkrts-devel-4.9.2-4.1.mga5.i586.rpm libgcc1-4.9.2-4.1.mga5.i586.rpm libgcj15-4.9.2-4.1.mga5.i586.rpm libgcj15-base-4.9.2-4.1.mga5.i586.rpm libgcj15-src-4.9.2-4.1.mga5.i586.rpm libgcj_bc1-4.9.2-4.1.mga5.i586.rpm libgcj-devel-4.9.2-4.1.mga5.i586.rpm libgcj-static-devel-4.9.2-4.1.mga5.i586.rpm libgfortran3-4.9.2-4.1.mga5.i586.rpm libgnat1-4.9.2-4.1.mga5.i586.rpm libgomp1-4.9.2-4.1.mga5.i586.rpm libgomp-devel-4.9.2-4.1.mga5.i586.rpm libitm1-4.9.2-4.1.mga5.i586.rpm libitm-devel-4.9.2-4.1.mga5.i586.rpm libobjc4-4.9.2-4.1.mga5.i586.rpm libquadmath0-4.9.2-4.1.mga5.i586.rpm libquadmath-devel-4.9.2-4.1.mga5.i586.rpm libstdc++6-4.9.2-4.1.mga5.i586.rpm libstdc++-devel-4.9.2-4.1.mga5.i586.rpm libstdc++-docs-4.9.2-4.1.mga5.noarch.rpm libstdc++-static-devel-4.9.2-4.1.mga5.i586.rpm libubsan0-4.9.2-4.1.mga5.i586.rpm libubsan-devel-4.9.2-4.1.mga5.i586.rpm libvtv0-4.9.2-4.1.mga5.i586.rpm libvtv-devel-4.9.2-4.1.mga5.i586.rpm x86_64 gcc-4.9.2-4.1.mga5.x86_64.rpm gcc-c++-4.9.2-4.1.mga5.x86_64.rpm gcc-cpp-4.9.2-4.1.mga5.x86_64.rpm gcc-doc-4.9.2-4.1.mga5.noarch.rpm gcc-doc-pdf-4.9.2-4.1.mga5.noarch.rpm gcc-gfortran-4.9.2-4.1.mga5.x86_64.rpm gcc-gnat-4.9.2-4.1.mga5.x86_64.rpm gcc-java-4.9.2-4.1.mga5.x86_64.rpm gcc-objc-4.9.2-4.1.mga5.x86_64.rpm gcc-objc++-4.9.2-4.1.mga5.x86_64.rpm gcc-plugins-4.9.2-4.1.mga5.x86_64.rpm gcj-tools-4.9.2-4.1.mga5.x86_64.rpm lib64gcj15-4.9.2-4.1.mga5.x86_64.rpm lib64gcj_bc1-4.9.2-4.1.mga5.x86_64.rpm lib64gcj-devel-4.9.2-4.1.mga5.x86_64.rpm lib64gcj-static-devel-4.9.2-4.1.mga5.x86_64.rpm libasan1-4.9.2-4.1.mga5.x86_64.rpm libasan-devel-4.9.2-4.1.mga5.x86_64.rpm libatomic1-4.9.2-4.1.mga5.x86_64.rpm libatomic-devel-4.9.2-4.1.mga5.x86_64.rpm libcilkrts5-4.9.2-4.1.mga5.x86_64.rpm libcilkrts-devel-4.9.2-4.1.mga5.x86_64.rpm libgcc1-4.9.2-4.1.mga5.x86_64.rpm libgcj15-base-4.9.2-4.1.mga5.x86_64.rpm libgcj15-src-4.9.2-4.1.mga5.x86_64.rpm libgfortran3-4.9.2-4.1.mga5.x86_64.rpm libgnat1-4.9.2-4.1.mga5.x86_64.rpm libgomp1-4.9.2-4.1.mga5.x86_64.rpm libgomp-devel-4.9.2-4.1.mga5.x86_64.rpm libitm1-4.9.2-4.1.mga5.x86_64.rpm libitm-devel-4.9.2-4.1.mga5.x86_64.rpm liblsan0-4.9.2-4.1.mga5.x86_64.rpm liblsan-devel-4.9.2-4.1.mga5.x86_64.rpm libobjc4-4.9.2-4.1.mga5.x86_64.rpm libquadmath0-4.9.2-4.1.mga5.x86_64.rpm libquadmath-devel-4.9.2-4.1.mga5.x86_64.rpm libstdc++6-4.9.2-4.1.mga5.x86_64.rpm libstdc++-devel-4.9.2-4.1.mga5.x86_64.rpm libstdc++-docs-4.9.2-4.1.mga5.noarch.rpm libstdc++-static-devel-4.9.2-4.1.mga5.x86_64.rpm libtsan0-4.9.2-4.1.mga5.x86_64.rpm libtsan-devel-4.9.2-4.1.mga5.x86_64.rpm libubsan0-4.9.2-4.1.mga5.x86_64.rpm libubsan-devel-4.9.2-4.1.mga5.x86_64.rpm libvtv0-4.9.2-4.1.mga5.x86_64.rpm libvtv-devel-4.9.2-4.1.mga5.x86_64.rpm
Assignee: tmb => qa-bugs
advisory (also added to svn) It was discovered that the std::random_device class in libstdc++ would not properly detect short reads and could return return predictable values if applications used it to obtain randomness from a blocking source such as /dev/random. ( CVE-2015-5276) references: - https://bugs.mageia.org/show_bug.cgi?id=17126 - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65142 - http://lists.opensuse.org/opensuse-updates/2015-11/msg00054.html
CC: (none) => tmbHardware: i586 => AllWhiteboard: (none) => advisory
mga5 x86_64 Mate Installed as many of the packages as possible before updating. Many were already in place. After cherry-picking from the update list 38 packages installed on my Aorus X5. There should have been more so I need to go back and run a detailed check. After that it would be useful to find a test suite to exercise the compilers and something in particular to check random_device in C++. Looks like a long haul.
CC: (none) => tarazed25
kernel-linus-4.1.12-1.mga5 x86_64 Mate All 46 packages installed without incident on another laptop.
Some information on testing at https://gcc.gnu.org/install/test.html. tcl and expect are already installed here and Mageia supports DejaGnu; just installed that as well.
Installed on a Dell Dimension E310, P4 processor, Intel graphics, on bothe 64-bit and 32-bit Mageia 5 installs. Installed at the same time with packages from Bug #17065 and Bug #17129. Only testing done was to install the relevant packages presented by Mageia Update, reboot, and determine if the system still functions normally. No issues apparent on either install
CC: (none) => andrewsfarm
@Thomas comment 6 I installed the Bug #17129 update earlier. No issues either. Kernel upgrades probably exercise some parts of the compiler collection (dkms and all that) so this level of testing may be adequate. For my own satisfaction I shall probably try to get the testing suite working, even after the update is pushed.
Homemade computer, ASRock motherboard, Athlon X2 7750 processor, 8GB RAM, on-board ATI graphics. Installed on both 64-bit and 32-bit systems, as described in Comment 6. No issues in either install.
MGA5-32 on Acer D620 Xfce No installation issues. I wanted to run testsuite as per Comment 5 , but it appears to me that the testsuites are not included in our packages, is that correct. I don't feel ready to compile the gcc from scratch as the tar file has the testsuites in there.
CC: (none) => herman.viaene
I am pretty sure that the test suite is not included in Mageia. I have downloaded the tar file but real life keeps interfering so have had no time to see if it can be used.
Can be tested basically with the example code here: http://en.cppreference.com/w/cpp/numeric/random/random_device
Before ------ Saved the code as random.cpp It moans without the -std=c++11 switch but luckily tells you to add it \o/ $ g++ -std=c++11 -o random random.cpp $ ls random* random.cpp $ ./random 0 : ******************* 1 : ******************* 2 : ******************* 3 : ******************* 4 : ******************* 5 : ******************** 6 : ******************* 7 : ******************** 8 : ******************** 9 : ********************
After ----- $ g++ -std=c++11 -o random-after random.cpp $ ./random-after 0 : ******************** 1 : ******************* 2 : ******************* 3 : ******************** 4 : ******************** 5 : ******************** 6 : ******************** 7 : ******************** 8 : ******************* 9 : ******************* Testing complete mga5 32
Whiteboard: advisory => has_procedure advisory mga5-32-ok
mga5 x86_64 Mate Used Claire's snippet to test. Before update: $ g++ -std=c++11 -o random0 random.cc $ ./random0 0 : ******************** 1 : ****************** 2 : ******************** 3 : ******************** 4 : ******************** 5 : ******************* 6 : ******************* 7 : ******************** 8 : ******************** 9 : ******************** Afterwards: $ g++ -std=c++11 -o random1 random.cc $ ./random1 0 : ******************** 1 : ******************* 2 : ******************* 3 : ******************** 4 : ******************* 5 : ******************* 6 : ******************** 7 : ******************* 8 : ******************** 9 : ******************* Testing complete for 64-bits.
Whiteboard: has_procedure advisory mga5-32-ok => has_procedure advisory mga5-32-ok MGA5-64-OK
Created attachment 7212 [details] Test file for C++ This provides a partial test of the compiler collection and outputs a binary file which should generate a random text pattern. $ g++ -std=c++11 -o random-after random.cc e.g. $ ./random-after 0 : ******************** 1 : ******************* 2 : ******************* 3 : ******************** 4 : ******************* 5 : ******************* 6 : ******************** 7 : ******************* 8 : ******************** 9 : *******************
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0449.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/665238/