{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-26T12:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"}, {"name": "openSUSE-SU-2019:2364", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html"}, {"name": "openSUSE-SU-2019:2365", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html"}, {"name": "openSUSE-SU-2020:0716", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-15847", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481", "refsource": "MISC", "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"}, {"name": "openSUSE-SU-2019:2364", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html"}, {"name": "openSUSE-SU-2019:2365", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html"}, {"name": "openSUSE-SU-2020:0716", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:03:30.919Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"}, {"name": "openSUSE-SU-2019:2364", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html"}, {"name": "openSUSE-SU-2019:2365", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html"}, {"name": "openSUSE-SU-2020:0716", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-15847", "datePublished": "2019-09-02T22:03:34", "dateReserved": "2019-09-02T00:00:00", "dateUpdated": "2024-08-05T01:03:30.919Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C24970D-A6E6-4AFC-876C-AA77A4D9F2C9", "versionEndExcluding": "7.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C079769-9E9D-4338-9246-B80DB23FF8C2", "versionEndExcluding": "8.4.0", "versionStartIncluding": "8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:*:*", "matchCriteriaId": "D143DC53-6A5E-42E7-AF7B-9568650BF837", "versionEndExcluding": "9.3.0", "versionStartIncluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CBB0226-5EEA-4106-B59D-35BAFA97C1B6", "versionEndExcluding": "10.1.0", "versionStartIncluding": "10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same."}, {"lang": "es", "value": "El backend POWER9 en GNU Compiler Collection (GCC) en versiones anteriores a la 10 podr\u00eda optimizar m\u00faltiples llamadas de __builtin_darn intr\u00ednsecas en una sola llamada, reduciendo as\u00ed la entrop\u00eda del generador de n\u00fameros aleatorios. Esto ocurri\u00f3 porque no se especific\u00f3 una operaci\u00f3n vol\u00e1til. Por ejemplo, dentro de una sola ejecuci\u00f3n de un programa, la salida de cada llamada __builtin_darn() puede ser la misma."}], "id": "CVE-2019-15847", "lastModified": "2024-11-21T04:29:36.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-02T23:15:10.837", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:1864", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gcc-0:8.3.1-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1864", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gcc-0:8.3.1-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:0924", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "devtoolset-8-gcc-0:8.3.1-3.2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:0924", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-8-gcc-0:8.3.1-3.2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:2274", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-9-gcc-0:9.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHSA-2020:0924", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-8-gcc-0:8.3.1-3.2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:0924", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-8-gcc-0:8.3.1-3.2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:2274", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-9-gcc-0:9.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-05-26T00:00:00Z"}, {"advisory": "RHSA-2020:0924", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-8-gcc-0:8.3.1-3.2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:2274", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "devtoolset-9-gcc-0:9.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-05-26T00:00:00Z"}], "bugzilla": {"description": "gcc: POWER9 \"DARN\" RNG intrinsic produces repeated output", "id": "1755523", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1755523"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-331", "details": ["The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same."], "name": "CVE-2019-15847", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gcc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mingw-gcc", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2019-09-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-15847\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-15847\nhttps://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"], "statement": "As per upstream DARN (or power9) is not supported in GCC 6 or older, therefore versions of gcc shipped with Red Hat Enterprise Linux 5, 6 and 7 are not affected by this flaw.", "threat_severity": "Moderate"}