Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1608153 - (CVE-2018-1000620) CVE-2018-1000620 nodejs-cryptiles: Insecure randomness causes the randomDigits() function returns a pseudo-random data string biased to certain digits
CVE-2018-1000620 nodejs-cryptiles: Insecure randomness causes the randomDigit...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180719,repor...
: Security
Depends On: 1608154 1608155
Blocks: 1608156
  Show dependency treegraph
 
Reported: 2018-07-25 00:50 EDT by Sam Fowler
Modified: 2018-07-30 16:13 EDT (History)
26 users (show)

See Also:
Fixed In Version: nodejs-cryptiles 4.1.2
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Sam Fowler 2018-07-25 00:50:49 EDT 
nodejs-cryptiles before version 4.1.2 does not implement cryptographically secure randomness resulting in the randomDigits() function return a pseudo-random data string biased to certain digits. An attacker could exploit this to guess the generated digits.


Upstream Issue:

https://github.com/hapijs/cryptiles/issues/34

Upstream Patch:

https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
Comment 1 Sam Fowler 2018-07-25 00:51:23 EDT 
Created nodejs-cryptiles tracking bugs for this issue:

Affects: epel-all [bug 1608155]
Affects: fedora-all [bug 1608154]
Comment 2 Scott Gayou 2018-07-30 15:24:50 EDT 
Cryptiles in rh-nodejs6-nodejs-cryptiles is 2.05, uses the crypto library for RNG, and does not include the randomDigits function addressed in CVE-2018-1000620. Furthermore, it looks as though the randomBits function remains the same. Hence, rh-nodejs6-nodejs-cryptiles looks notaffected.
Comment 3 Scott Gayou 2018-07-30 16:13:15 EDT 
Cryptiles in rh-nodejs8-nodejs is a dependency of Hawk and is bundled with it. While the CVE-2018-1000620 does apply to the version of exports.randomDigits bundles with this version of Cryptiles, the Hawk package does NOT call the randomDigits function. Instead, it makes use of randomString and fixedTimeComparison. Thus, this package is notaffected by the CVE.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.