CVE-2011-2705

Published: Aug 5, 2011Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.

Affected (35)

Products: Ruby Lang: Ruby

1 product

Configuration A

12 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Up to 1.8.7-334
Ruby Lang Ruby	Version 1.8.7-160
Ruby Lang Ruby	Version 1.8.7-173
Ruby Lang Ruby	Version 1.8.7-248
Ruby Lang Ruby	Version 1.8.7-249
Ruby Lang Ruby	Version 1.8.7-299
Ruby Lang Ruby	Version 1.8.7-302
Ruby Lang Ruby	Version 1.8.7-330
Ruby Lang Ruby	Version 1.8.7-p21
Ruby Lang Ruby	Version 1.8.7 p22
Ruby Lang Ruby	Version 1.8.7 p71
Ruby Lang Ruby	Version 1.8.7 p72

Configuration B

23 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Version 1.9.0-0
Ruby Lang Ruby	Version 1.9.0-1
Ruby Lang Ruby	Version 1.9.0-20060415
Ruby Lang Ruby	Version 1.9.0-20070709
Ruby Lang Ruby	Version 1.9.0-2
Ruby Lang Ruby	Version 1.9.0
Ruby Lang Ruby	Version 1.9.0 r18423
Ruby Lang Ruby	Version 1.9.1
Ruby Lang Ruby	Version 1.9.1 -p0
Ruby Lang Ruby	Version 1.9.1 -p129
Ruby Lang Ruby	Version 1.9.1 -p243
Ruby Lang Ruby	Version 1.9.1 -p376
Ruby Lang Ruby	Version 1.9.1 -p429
Ruby Lang Ruby	Version 1.9.1 -preview_1
Ruby Lang Ruby	Version 1.9.1 -preview_2
Ruby Lang Ruby	Version 1.9.1 -rc1
Ruby Lang Ruby	Version 1.9.1 -rc2
Ruby Lang Ruby	Version 1.9.2-p136
Ruby Lang Ruby	Version 1.9.2-p180
Ruby Lang Ruby	Version 1.9.2
Ruby Lang Ruby	Version 1.9.2 dev
Ruby Lang Ruby	Version 1.9
Ruby Lang Ruby	Version 1.9 r18423

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (30)

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html

Source: secalert@redhat.com

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html

Source: secalert@redhat.com

http://redmine.ruby-lang.org/issues/4579

Source: secalert@redhat.com

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050

Source: secalert@redhat.com

Patch

http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_352/ChangeLog

Source: secalert@redhat.com

http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_290/ChangeLog

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/07/11/1

Source: secalert@redhat.com

Patch

http://www.openwall.com/lists/oss-security/2011/07/12/14

Source: secalert@redhat.com

Patch

http://www.openwall.com/lists/oss-security/2011/07/20/1

Source: secalert@redhat.com

Patch

http://www.openwall.com/lists/oss-security/2011/07/20/16

Source: secalert@redhat.com

Patch

http://www.redhat.com/support/errata/RHSA-2011-1581.html

Source: secalert@redhat.com

http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/

Source: secalert@redhat.com

Patch

http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/

Source: secalert@redhat.com

Patch

http://www.securityfocus.com/bid/49015

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=722415

Source: secalert@redhat.com

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063062.html

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063071.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://redmine.ruby-lang.org/issues/4579

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=32050

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7_352/ChangeLog

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.ruby-lang.org/repos/ruby/tags/v1_9_2_290/ChangeLog

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/07/11/1

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.openwall.com/lists/oss-security/2011/07/12/14

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.openwall.com/lists/oss-security/2011/07/20/1

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.openwall.com/lists/oss-security/2011/07/20/16

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.redhat.com/support/errata/RHSA-2011-1581.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ruby-lang.org/en/news/2011/07/02/ruby-1-8-7-p352-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.ruby-lang.org/en/news/2011/07/15/ruby-1-9-2-p290-is-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.securityfocus.com/bid/49015

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=722415

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.