I reviewed libcrypt-urandom-perl 0.54-1 as checked into resolute. This
shouldn't be
considered a full audit but rather a quick gauge of maintainability.
libcrypt-urandom-perl is a Perl module that provides a simple interface to
non-blocking
cryptographically strong random number generators. It supports reading from
/dev/urandom
and using the `getrandom(2)` system call on Linux, as well as Windows APIs. It
is designed
to be a drop-in safe random number source.
- CVE History
- CVE-2026-2474 (Heap buffer overflow due to implicit type conversion)
- Build-Depends
- OK.
- pre/post inst/rm scripts
- None.
- init scripts
- None.
- systemd units
- None.
- dbus services
- None.
- setuid binaries
- None.
- binaries in PATH
- None.
- sudo fragments
- None.
- polkit files
- None.
- udev rules
- None.
- unit tests / autopkgtests
- Standard Perl t/* tests and autopkgtests present.
- getrandom() calls tested via LD_PRELOAD mocking.
- cron jobs
- None.
- Build logs
- OK.
- Processes spawned
- None.
- Memory management
- Relies on Perl's memory management.
- XS code (`URandom.xs`) is used if available. It uses `Newx` and `Safefree`
(Perl's C-level memory API) to allocate buffers for `getrandom` /
`arc4random_buf`.
- Heap buffer overflow discovered in the XS function (CVE-2026-2474).
- File IO
- Reads `/dev/urandom` or `/dev/random` (on FreeBSD) if `getrandom` is not
available.
- Logging
- None observed. `Carp` is used for errors.
- Utility Functions
- None.
- Environment Variables
- `CRYPT_URANDOM_BUILD_DEBUG` is checked in `Makefile.PL` /
`check_random.inc` to enable debug output during build configuration.
- Privileged Functions Usage
- None.
- Cryptography Including RNG Usage
- This is the primary function of the library.
- Primary source: `getrandom` (via XS, native libc wrapper or `syscall`).
- Secondary source: `arc4random_buf` (via XS).
- Fallback: Reading `/dev/urandom`.
- On Windows: `CryptGenRandom` / `RtlGenRand` (via `Win32::API`).
- Temporary Files
- None.
- Networking
- None.
- WebKit
- None.
- PolicyKit
- None.
- Significant Coverity Results
- None.
- Significant Semgrep Results
- None.
- Significant Shellcheck Results
- None.
- Significant Cppcheck Results
- None.
- Significant results from other liniers (Bandit, Govulncheck, etc.)
- None.
The package is a small, focused Perl library for obtaining cryptographic
randomness.
It delegates entirely to the operating system's secure random number generator
(getrandom or /dev/urandom or Windows CryptoAPI).
While generation of cryptographic randomness is correct, several other issues
were identified
with respect to input validation and runtime checks:
- Heap buffer overflow in XS function `crypt_urandom_getrandom()`
(CVE-2026-2474)
- Bad comparison in read/sysread return value in `_read_random_fs()`
The maintainer fixed the issues promptly and coordinated effectively with
CPAN security to assign a CVE, indicating a responsive and reliable upstream.
The Security team ACKs promoting libcrypt-urandom-perl to main.
** CVE added: https://cve.org/CVERecord?id=CVE-2026-2474
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2122108
Title:
[MIR] libcrypt-urandom-perl as a dependency of libauthen-sasl-perl
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libauthen-sasl-perl/+bug/2122108/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
