CVE-2018-1108

NameCVE-2018-1108
Descriptionkernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
linux (PTS)jessie3.16.56-1+deb8u1fixed
jessie (security)3.16.72-1fixed
stretch4.9.168-1vulnerable
stretch (security)4.9.168-1+deb9u5vulnerable
buster4.19.37-5fixed
buster (security)4.19.37-5+deb10u2fixed
bullseye4.19.37-6fixed
sid5.2.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
linuxsource(unstable)4.16.5-1medium
linuxsourcejessie(not affected)
linuxsourcewheezy(not affected)

Notes

[stretch] - linux <ignored> (Can't be fixed without many user-space changes)
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
Fixed by: https://git.kernel.org/linus/43838a23a05fbd13e47d750d3dfd77001536dd33
https://bugs.chromium.org/p/project-zero/issues/detail?id=1559

Search for package or bug name: Reporting problems