Bug#1140810: bookworm-pu: package libbytes-random-secure-perl/0.29-4~deb13u1~deb12u1

Fri, 26 Jun 2026 12:17:16 -0700 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], 
[email protected], [email protected], [email protected], 
[email protected], [email protected]
Control: affects -1 + src:libbytes-random-secure-perl
User: [email protected]
Usertags: pu

Hi

[ Reason ]
libbytes-random-secure-perl is affected by CVE-2026-11625, that were
an object is initialised before forking, or when the functional
interface is used, then the internal state for the PRNG is shared
across processes and identical random streams will be produced.

[ Impact ]
Secrets generated in multiprocess applications are predictable across
processes.

[ Tests ]
Running test suite and done a debusine upload as well as
https://debusine.debian.net/debian/developers/work-request/894435/

[ Risks ]
The upstream pull request is not yet merged, but the patch referenced
in the CPAN security advisory and taken from there.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
> fix for this will save the current PID when the object is created,
> and then (in the bytes method) call instantiate_rng unless the PID
> is the same.

[ Other info ]
Nothing special.

Regards,
Salvatore

diff -Nru libbytes-random-secure-perl-0.29/debian/changelog 
libbytes-random-secure-perl-0.29/debian/changelog
--- libbytes-random-secure-perl-0.29/debian/changelog   2022-12-08 
12:41:21.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/changelog   2026-06-26 
18:35:55.000000000 +0000
@@ -1,3 +1,22 @@
+libbytes-random-secure-perl (0.29-4~deb13u1~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 26 Jun 2026 20:35:55 +0200
+
+libbytes-random-secure-perl (0.29-4~deb13u1) trixie; urgency=medium
+
+  * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 26 Jun 2026 20:32:02 +0200
+
+libbytes-random-secure-perl (0.29-4) unstable; urgency=medium
+
+  * Team upload.
+  * Fix incorrect usage of seed in PRNG (CVE-2026-11625)
+
+ -- Salvatore Bonaccorso <[email protected]>  Fri, 26 Jun 2026 17:27:21 +0200
+
 libbytes-random-secure-perl (0.29-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru 
libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch 
libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch
--- libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch     
1970-01-01 00:00:00.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch     
2026-06-26 18:35:55.000000000 +0000
@@ -0,0 +1,57 @@
+From 20828ef859e215565ba17a9a24af3a42b0c4360a Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <[email protected]>
+Date: Thu, 25 Jun 2026 14:43:11 +0100
+Subject: [PATCH] Fix for CVE-2026-11625
+
+---
+ lib/Bytes/Random/Secure.pm | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/Bytes/Random/Secure.pm b/lib/Bytes/Random/Secure.pm
+index 65fbfe2..5bd3714 100644
+--- a/lib/Bytes/Random/Secure.pm
++++ b/lib/Bytes/Random/Secure.pm
+@@ -156,6 +156,7 @@ sub _build_attributes {
+       $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default;
+     }
+ 
++    $self->{_pid} = $$;
+     $self->{_RNG} = undef;    # Lazy initialization.
+     return $self;
+ }
+@@ -171,6 +172,8 @@ sub _instantiate_rng {
+     my @seeds = $self->_generate_seed( %seed_opts );
+     $self->{_RNG} = Math::Random::ISAAC->new(@seeds);
+ 
++    $self->{_pid} = $$;
++
+     return $self->{_RNG};
+ }
+ 
+@@ -224,7 +227,7 @@ sub bytes {
+   $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes.
+   $self->_validate_int( $bytes ); # Throws on violation.
+ 
+-  $self->_instantiate_rng unless defined $self->{_RNG};
++  $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+ 
+   my $str = '';
+ 
+@@ -302,7 +305,7 @@ sub _ranged_randoms {
+     $count = defined $count ? $count : 0;
+ 
+     # Lazily seed the RNG so we don't waste available strong entropy.
+-    $self->_instantiate_rng unless defined $self->{_RNG};
++    $self->_instantiate_rng unless $$ == $self->{_pid} && defined 
$self->{_RNG};
+ 
+     my $divisor = $self->_closest_divisor($range);
+ 
+@@ -354,7 +357,7 @@ sub _closest_divisor {
+ 
+ sub irand {
+   my( $self ) = @_;
+-  $self->_instantiate_rng unless defined $self->{_RNG};
++  $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+   return $self->{_RNG}->irand;
+ }
+ 
diff -Nru libbytes-random-secure-perl-0.29/debian/patches/series 
libbytes-random-secure-perl-0.29/debian/patches/series
--- libbytes-random-secure-perl-0.29/debian/patches/series      1970-01-01 
00:00:00.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/patches/series      2026-06-26 
18:35:55.000000000 +0000
@@ -0,0 +1 @@
+CVE-2026-11625-r1.patch

Reply via email to