CVE-2008-2108

Publication date 7 May 2008

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	8.04 LTS hardy	Fixed 5.2.4-2ubuntu5.3
	7.10 gutsy	Fixed 5.2.3-1ubuntu6.4
	7.04 feisty	Fixed 5.2.1-0ubuntu1.6
	6.06 LTS dapper	Fixed 5.1.2-1ubuntu3.12

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Vendor: http://www.mandriva.com/security/advisories?name=MDVSA-2008:125

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2008-2108

Cvss 3 Severity Score

Description

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references