Bug 462772 (CVE-2008-4107)

Summary: CVE-2008-4107 PHP: insecure random numbers
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4107
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-30 08:09:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2008-09-18 19:31:58 UTC 
The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce
cryptographically strong random numbers, which allows attackers to
leverage exposures in products that rely on these functions for
security-relevant functionality, as demonstrated by the password-reset
functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different
vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.

Note, wordpress 2.6.2 has been pushed for Fedora 8 and 9
Comment 1 Josh Bressers 2008-09-26 20:13:59 UTC 
This blog entry explains this problem in more details:
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

The bits that are relevant to PHP are this:

    Implementation Bugs

    In PHP 4 and PHP <= 5.2.5 the automatic seed of rand() and mt_srand() is
    buggy. Whenever the lowest 26 bits of the timestamp are zero the internal
    seed will become zero (or 1 due to the forced bit) on 32 bit systems
    because of an overflow of the 32 bit register. On 64 bit systems there is
    a precision loss when the seed is casted from a double to int that results
    in a seed about 24 bit strong.
Comment 2 Josh Bressers 2008-09-26 20:21:44 UTC 
So this is obviously not ideal, but I question if it's worth fixing this in our old versions of PHP.  We risk screwing up something else as doing random numbers properly is very hard to do.  The lowest 26 bits of the timestamp are all zero for one second about once per year (slightly more).

This is an extremely small window of opportunity, and that presumes that a remote attacker can cause PHP to seed at exactly that moment, which is unlikely.

For affected versions of PHP, we will WONTFIX this bug.
Comment 3 Tomas Hoger 2008-09-30 08:09:28 UTC 
Wordpress upstream announcement related to weak random number generator:
http://wordpress.org/development/2008/09/wordpress-262/

(Marking bug closed based on comment #2)