TEMP-0532514-9137E0

Name	TEMP-0532514-9137E0
Description	predictable random number generator used in web browsers
Source	Automatically generated temporary name. Not for external reference.
Debian Bugs	520324, 532514, 532519, 532520, 532521

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
chromium-browser (PTS)	stretch	70.0.3538.110-1~deb9u1	fixed
	stretch (security)	71.0.3578.80-1~deb9u1	fixed
dillo (PTS)	stretch	3.0.5-3	fixed
	buster	3.0.5-5	fixed
	bookworm, bullseye, sid	3.0.5-7	fixed
lynx (PTS)	stretch	2.8.9dev11-1	fixed
	stretch (security)	2.8.9dev11-1+deb9u1	fixed
	buster, buster (security)	2.8.9rel.1-3+deb10u1	fixed
	bullseye (security), bullseye	2.9.0dev.6-3~deb11u1	fixed
	bookworm, sid	2.9.0dev.10-1	fixed
w3m (PTS)	stretch	0.5.3-34+deb9u1	vulnerable
	buster	0.5.3-37	vulnerable
	bullseye	0.5.3+git20210102-6	vulnerable
	bookworm, sid	0.5.3+git20220429-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Debian Bugs
chromium-browser	source	squeeze	(unfixed)	end-of-life
chromium-browser	source	(unstable)	26.0.1410.43-1		520324
dillo	source	(unstable)	(not affected)
kdebase	source	(unstable)	(unfixed)	unimportant	532519
lynx	source	(unstable)	2.8.7rel.1-1	unimportant	532520
w3m	source	(unstable)	(unfixed)	unimportant	532521
webkit	source	(unstable)	1.2	low	532514

Notes

The implementations for UNIX seems fine, might be fixed earlier
[lenny] - webkit <no-dsa> (Minor issue)
w3m doesn't have Javascript support and the boundary issue is harmles
chromium has provides window.crypto.getRandomValues as a strong random number generator
https://code.google.com/p/chromium/issues/detail?id=246054
lynx doesn't have Javascript and form-data support
- dillo <not-affected> (bug #532522)
These issues can be fixed in more recent upstream versions, but the risk
of regression doesn't outweigh the issue at hand