|
|
CVE Reference: CVE-2007-2727 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2007-2727 |
|
|
Description: The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys. |
|
|
CVE Status: Candidate |
|
|
References: SUSE http://www.novell.com/linux/security/advisories/2007_15_sr.html SAID Secunia Advisory: SA26895 MISC http://www.fortheloot.com/public/mcrypt.patch http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html MANDRIVA http://www.mandriva.com/security/advisories?name=MDKSA-2007:187 CONFIRM http://www.php.net/ChangeLog-5.php http://bugs.php.net/bug.php?id=40999 http://cvs.php.net/viewvc.cgi/php-src/ext/mcrypt/mcrypt.c?r1=1.91.2.3.2.9&r2=1.91.2.3.2.10 BID 23984 |
|
| Return to the previous page. |
