[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1101746: marked as done (bookworm-pu: package libdata-entropy-perl/0.007-4+deb12u1)

Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <E1uGDzR-005KHc-SG@coccia.debian.org>
and subject line Close 1101746
has caused the Debian Bug report #1101746,
regarding bookworm-pu: package libdata-entropy-perl/0.007-4+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1101746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101746
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>, security@debian.org

  * CVE-2025-1860: rand() function was used as default source of entropy

Tagged moreinfo, as question to the security team whether they want
this in -pu or as DSA.

diffstat for libdata-entropy-perl-0.007 libdata-entropy-perl-0.007

 changelog                                                       |    7 +
 control                                                         |    2 
 patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch |   56 ++++++++++
 patches/series                                                  |    1 
 4 files changed, 66 insertions(+)

diff -Nru libdata-entropy-perl-0.007/debian/changelog libdata-entropy-perl-0.007/debian/changelog
--- libdata-entropy-perl-0.007/debian/changelog	2022-06-13 00:59:30.000000000 +0300
+++ libdata-entropy-perl-0.007/debian/changelog	2025-03-31 12:22:57.000000000 +0300
@@ -1,3 +1,10 @@
+libdata-entropy-perl (0.007-4+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-1860: rand() function was used as default source of entropy
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 31 Mar 2025 12:22:57 +0300
+
 libdata-entropy-perl (0.007-4) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru libdata-entropy-perl-0.007/debian/control libdata-entropy-perl-0.007/debian/control
--- libdata-entropy-perl-0.007/debian/control	2022-06-13 00:59:30.000000000 +0300
+++ libdata-entropy-perl-0.007/debian/control	2025-03-31 12:22:57.000000000 +0300
@@ -7,6 +7,7 @@
 Priority: optional
 Build-Depends: debhelper-compat (= 13), libmodule-build-perl
 Build-Depends-Indep: libcrypt-rijndael-perl,
+                     libcrypt-urandom-perl,
                      libdata-float-perl,
                      libhttp-lite-perl,
                      libparams-classify-perl,
@@ -23,6 +24,7 @@
 Depends: ${misc:Depends},
          ${perl:Depends},
          libcrypt-rijndael-perl,
+         libcrypt-urandom-perl,
          libdata-float-perl,
          libhttp-lite-perl,
          libparams-classify-perl
diff -Nru libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch
--- libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch	1970-01-01 02:00:00.000000000 +0200
+++ libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch	2025-03-31 12:22:23.000000000 +0300
@@ -0,0 +1,56 @@
+From a47d906d1d56a1a383150f048ef9d96b1ff10bd1 Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <rrwo@cpan.org>
+Date: Thu, 27 Mar 2025 17:59:27 +0000
+Subject: Use Crypt::URandom to seed the default source
+
+---
+ Build.PL            |  1 +
+ lib/Data/Entropy.pm | 13 +++----------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/Build.PL b/Build.PL
+index 5d39378..322b88d 100644
+--- a/Build.PL
++++ b/Build.PL
+@@ -27,6 +27,7 @@ Module::Build->new(
+ 	requires => {
+ 		"Carp" => 0,
+ 		"Crypt::Rijndael" => 0,
++		"Crypt::URandom" => 0.36,
+ 		"Data::Float" => "0.008",
+ 		"Errno" => "1.00",
+ 		"Exporter" => 0,
+diff --git a/lib/Data/Entropy.pm b/lib/Data/Entropy.pm
+index 13ce92f..610db45 100644
+--- a/lib/Data/Entropy.pm
++++ b/lib/Data/Entropy.pm
+@@ -27,12 +27,7 @@ avoiding the need to explicitly configure a source at all.
+ 
+ If nothing is done to set a source then it defaults to the use of Rijndael
+ (AES) in counter mode (see L<Data::Entropy::RawSource::CryptCounter>
+-and L<Crypt::Rijndael>), keyed using Perl's built-in C<rand> function.
+-This gives a data stream that looks like concentrated entropy, but really
+-only has at most the entropy of the C<rand> seed.  Within a single run it
+-is cryptographically difficult to detect the correlation between parts
+-of the pseudo-entropy stream.  If more true entropy is required then it
+-is necessary to configure a different entropy source.
++and L<Crypt::Rijndael>), keyed using L<Crypt::URandom>.
+ 
+ =cut
+ 
+@@ -75,10 +70,8 @@ sub entropy_source() {
+ 	}
+ 	unless(defined $entropy_source) {
+ 		unless(defined $default_entropy_source) {
+-			my $key = "";
+-			for(my $i = 32; $i--; ) {
+-				$key .= chr(int(CORE::rand(256)));
+-			}
++			require Crypt::URandom;
++			my $key = Crypt::URandom::urandom(32);
+ 			require Crypt::Rijndael;
+ 			require Data::Entropy::RawSource::CryptCounter;
+ 			require Data::Entropy::Source;
+-- 
+2.30.2
+
diff -Nru libdata-entropy-perl-0.007/debian/patches/series libdata-entropy-perl-0.007/debian/patches/series
--- libdata-entropy-perl-0.007/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ libdata-entropy-perl-0.007/debian/patches/series	2025-03-31 12:22:57.000000000 +0300
@@ -0,0 +1 @@
+0001-Use-Crypt-URandom-to-seed-the-default-source.patch

--- End Message ---
--- Begin Message --- 
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: