Your message dated Sat, 17 May 2025 09:37:57 +0000
with message-id <[email protected]>
and subject line Close 1101746
has caused the Debian Bug report #1101746,
regarding bookworm-pu: package libdata-entropy-perl/0.007-4+deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: [email protected]
Usertags: pu
X-Debbugs-Cc: Debian Perl Group <[email protected]>,
[email protected]
* CVE-2025-1860: rand() function was used as default source of entropy
Tagged moreinfo, as question to the security team whether they want
this in -pu or as DSA.
diffstat for libdata-entropy-perl-0.007 libdata-entropy-perl-0.007
changelog | 7 +
control | 2
patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch | 56
++++++++++
patches/series | 1
4 files changed, 66 insertions(+)
diff -Nru libdata-entropy-perl-0.007/debian/changelog
libdata-entropy-perl-0.007/debian/changelog
--- libdata-entropy-perl-0.007/debian/changelog 2022-06-13 00:59:30.000000000
+0300
+++ libdata-entropy-perl-0.007/debian/changelog 2025-03-31 12:22:57.000000000
+0300
@@ -1,3 +1,10 @@
+libdata-entropy-perl (0.007-4+deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-1860: rand() function was used as default source of entropy
+
+ -- Adrian Bunk <[email protected]> Mon, 31 Mar 2025 12:22:57 +0300
+
libdata-entropy-perl (0.007-4) unstable; urgency=medium
[ Salvatore Bonaccorso ]
diff -Nru libdata-entropy-perl-0.007/debian/control
libdata-entropy-perl-0.007/debian/control
--- libdata-entropy-perl-0.007/debian/control 2022-06-13 00:59:30.000000000
+0300
+++ libdata-entropy-perl-0.007/debian/control 2025-03-31 12:22:57.000000000
+0300
@@ -7,6 +7,7 @@
Priority: optional
Build-Depends: debhelper-compat (= 13), libmodule-build-perl
Build-Depends-Indep: libcrypt-rijndael-perl,
+ libcrypt-urandom-perl,
libdata-float-perl,
libhttp-lite-perl,
libparams-classify-perl,
@@ -23,6 +24,7 @@
Depends: ${misc:Depends},
${perl:Depends},
libcrypt-rijndael-perl,
+ libcrypt-urandom-perl,
libdata-float-perl,
libhttp-lite-perl,
libparams-classify-perl
diff -Nru
libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch
libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch
---
libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch
1970-01-01 02:00:00.000000000 +0200
+++
libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch
2025-03-31 12:22:23.000000000 +0300
@@ -0,0 +1,56 @@
+From a47d906d1d56a1a383150f048ef9d96b1ff10bd1 Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <[email protected]>
+Date: Thu, 27 Mar 2025 17:59:27 +0000
+Subject: Use Crypt::URandom to seed the default source
+
+---
+ Build.PL | 1 +
+ lib/Data/Entropy.pm | 13 +++----------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/Build.PL b/Build.PL
+index 5d39378..322b88d 100644
+--- a/Build.PL
++++ b/Build.PL
+@@ -27,6 +27,7 @@ Module::Build->new(
+ requires => {
+ "Carp" => 0,
+ "Crypt::Rijndael" => 0,
++ "Crypt::URandom" => 0.36,
+ "Data::Float" => "0.008",
+ "Errno" => "1.00",
+ "Exporter" => 0,
+diff --git a/lib/Data/Entropy.pm b/lib/Data/Entropy.pm
+index 13ce92f..610db45 100644
+--- a/lib/Data/Entropy.pm
++++ b/lib/Data/Entropy.pm
+@@ -27,12 +27,7 @@ avoiding the need to explicitly configure a source at all.
+
+ If nothing is done to set a source then it defaults to the use of Rijndael
+ (AES) in counter mode (see L<Data::Entropy::RawSource::CryptCounter>
+-and L<Crypt::Rijndael>), keyed using Perl's built-in C<rand> function.
+-This gives a data stream that looks like concentrated entropy, but really
+-only has at most the entropy of the C<rand> seed. Within a single run it
+-is cryptographically difficult to detect the correlation between parts
+-of the pseudo-entropy stream. If more true entropy is required then it
+-is necessary to configure a different entropy source.
++and L<Crypt::Rijndael>), keyed using L<Crypt::URandom>.
+
+ =cut
+
+@@ -75,10 +70,8 @@ sub entropy_source() {
+ }
+ unless(defined $entropy_source) {
+ unless(defined $default_entropy_source) {
+- my $key = "";
+- for(my $i = 32; $i--; ) {
+- $key .= chr(int(CORE::rand(256)));
+- }
++ require Crypt::URandom;
++ my $key = Crypt::URandom::urandom(32);
+ require Crypt::Rijndael;
+ require Data::Entropy::RawSource::CryptCounter;
+ require Data::Entropy::Source;
+--
+2.30.2
+
diff -Nru libdata-entropy-perl-0.007/debian/patches/series
libdata-entropy-perl-0.007/debian/patches/series
--- libdata-entropy-perl-0.007/debian/patches/series 1970-01-01
02:00:00.000000000 +0200
+++ libdata-entropy-perl-0.007/debian/patches/series 2025-03-31
12:22:57.000000000 +0300
@@ -0,0 +1 @@
+0001-Use-Crypt-URandom-to-seed-the-default-source.patch
--- End Message ---
--- Begin Message ---
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---
