Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1139698,
regarding trixie-pu: package libcrypt-urandom-perl/0.54-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139698: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139698
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libcrypt-urandom-perl
User: [email protected]
Usertags: pu

  * CVE-2026-2474: heap buffer overflow in crypt_urandom_getrandom()
diffstat for libcrypt-urandom-perl-0.54 libcrypt-urandom-perl-0.54

 changelog                                |    7 ++++
 patches/0001-Fix-for-CVE-2026-2474.patch |   48 +++++++++++++++++++++++++++++++
 patches/series                           |    1 
 3 files changed, 56 insertions(+)

diff -Nru libcrypt-urandom-perl-0.54/debian/changelog 
libcrypt-urandom-perl-0.54/debian/changelog
--- libcrypt-urandom-perl-0.54/debian/changelog 2025-03-23 01:32:16.000000000 
+0200
+++ libcrypt-urandom-perl-0.54/debian/changelog 2026-06-11 16:02:53.000000000 
+0300
@@ -1,3 +1,10 @@
+libcrypt-urandom-perl (0.54-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-2474: heap buffer overflow in crypt_urandom_getrandom()
+
+ -- Adrian Bunk <[email protected]>  Thu, 11 Jun 2026 16:02:53 +0300
+
 libcrypt-urandom-perl (0.54-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch 
libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch
--- libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch  
1970-01-01 02:00:00.000000000 +0200
+++ libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch  
2026-06-11 14:29:19.000000000 +0300
@@ -0,0 +1,48 @@
+From 8e985a5137a789f281ab3c8004be832cfa46aec3 Mon Sep 17 00:00:00 2001
+From: David Dick <[email protected]>
+Date: Tue, 17 Feb 2026 06:58:54 +1100
+Subject: Fix for CVE-2026-2474
+
+---
+ URandom.xs | 3 +++
+ t/rand.t   | 9 ++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/URandom.xs b/URandom.xs
+index c39dc3b..7c57d22 100644
+--- a/URandom.xs
++++ b/URandom.xs
+@@ -38,6 +38,9 @@ crypt_urandom_getrandom(length)
+         char *data;
+         int result;
+     CODE:
++        if (length < 0) {
++            croak("The length argument cannot be less than 0");
++        }
+         Newx(data, length + 1u, char);
+       GETRANDOM:
+ #ifdef HAVE_CRYPT_URANDOM_NATIVE_GETRANDOM
+diff --git a/t/rand.t b/t/rand.t
+index 5b81fe9..98b918d 100644
+--- a/t/rand.t
++++ b/t/rand.t
+@@ -1,4 +1,4 @@
+-use Test::More tests => 10;
++use Test::More tests => 11;
+ use Crypt::URandom();
+ 
+ foreach my $correct (qw(500000 500 50)) {
+@@ -38,3 +38,10 @@ eval {
+ };
+ chomp $@;
+ ok($exception_thrown, "Correctly throws exception with non integer 
parameter:$@");
++$exception_thrown = 1;
++eval {
++      Crypt::URandom::getrandom(-1);
++      $exception_thrown = 0;
++};
++chomp $@;
++ok($exception_thrown, "getrandom correctly throws exception with less than 
zero parameter:$@");
+-- 
+2.47.3
+
diff -Nru libcrypt-urandom-perl-0.54/debian/patches/series 
libcrypt-urandom-perl-0.54/debian/patches/series
--- libcrypt-urandom-perl-0.54/debian/patches/series    1970-01-01 
02:00:00.000000000 +0200
+++ libcrypt-urandom-perl-0.54/debian/patches/series    2026-06-11 
16:02:53.000000000 +0300
@@ -0,0 +1 @@
+0001-Fix-for-CVE-2026-2474.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to