[perl-Crypt-DSA/el5] CVE-2011-3599

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



commit 6c13b12641ba3b1ed2dfc1a2cacabe5bbc5120b2
Author: Paul Howarth <paul@xxxxxxxxxxxx>
Date:   Tue Sep 3 19:35:59 2013 +0100

    CVE-2011-3599
    
    As taught by the '09 Debian PGP disaster relating to DSA, the randomness
    source is extremely important. On systems without /dev/random, Crypt::DSA
    falls back to using Data::Random. Data::Random uses rand(), about which
    the perldoc says "rand() is not cryptographically secure. You should not
    rely on it in security-sensitive situations." In the case of DSA, this is
    even worse. Using improperly secure randomness sources can compromise the
    signing key upon signature of a message.
    
    See: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
    
    It might seem that this would not affect Fedora since /dev/random is always
    available and so the fall back to Data::Random would never happen. However,
    if an application is confined using a MAC system such as SELinux then
    access to /dev/random could be denied by policy and the fall back would be
    triggered.

 .gitignore            |    2 +-
 perl-Crypt-DSA.spec   |   11 ++++++++++-
 remove-fallback.patch |   19 +++++++++++++++++++
 3 files changed, 30 insertions(+), 2 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 1b055d0..4f78f77 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-Crypt-DSA-0.14.tar.gz
+/Crypt-DSA-[0-9.]*.tar.gz
diff --git a/perl-Crypt-DSA.spec b/perl-Crypt-DSA.spec
index a2d701a..6b9ea02 100644
--- a/perl-Crypt-DSA.spec
+++ b/perl-Crypt-DSA.spec
@@ -1,11 +1,12 @@
 Summary:	Perl module for DSA signatures and key generation
 Name:		perl-Crypt-DSA
 Version:	0.14
-Release:	7%{?dist}
+Release:	8%{?dist}
 License:	GPL+ or Artistic
 Group:		Development/Libraries
 Url:		http://search.cpan.org/dist/Crypt-DSA/
 Source0:	http://search.cpan.org/CPAN/authors/id/B/BT/BTROTT/Crypt-DSA-%{version}.tar.gz
+Patch0:		remove-fallback.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires:	perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 BuildArch:	noarch
@@ -33,6 +34,10 @@ verification, and key generation.
 %prep
 %setup -q -n Crypt-DSA-%{version}
 
+# Remove the ability to fall back to the cryptographically-insecure Data::Random
+# instead of using /dev/random (#743567, CPAN RT#71421, CVE-2011-3599)
+%patch0 -p1
+
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
 %{__make} %{?_smp_mflags}
@@ -63,6 +68,10 @@ verification, and key generation.
 %{_mandir}/man3/Crypt::DSA::Util.3pm*
 
 %changelog
+* Tue Sep  3 2013 Paul Howarth <paul@xxxxxxxxxxxx> - 0.14-8
+- Remove the ability to fall back to the cryptographically-insecure Data::Random
+  instead of using /dev/random (#743567, CPAN RT#71421, CVE-2011-3599)
+
 * Mon Nov  3 2008 Paul Howarth <paul@xxxxxxxxxxxx> 0.14-7
 - BuildRequire and Require a GMP support module, either Math::GMP or
   Math::BigInt::GMP depending on how recent Math::BigInt is
diff --git a/remove-fallback.patch b/remove-fallback.patch
new file mode 100644
index 0000000..852e837
--- /dev/null
+++ b/remove-fallback.patch
@@ -0,0 +1,19 @@
+Description: Remove the ability to fall back to Data::Random
+Forwarded: yes
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=71421
+Author: Harlan Lieberman-Berg <H.LiebermanBerg@xxxxxxxxx>
+--- a/lib/Crypt/DSA/Util.pm
++++ b/lib/Crypt/DSA/Util.pm
+@@ -63,11 +63,8 @@
+         }
+         close $fh;
+     }
+-    elsif ( require Data::Random ) {
+-        $r .= Data::Random::rand_chars( set=>'numeric' ) for 1..$bytes;
+-    }
+     else {
+-        croak "makerandom requires /dev/random or Data::Random";
++        croak "makerandom requires /dev/random";
+     }
+     my $down = $size - 1;
+     $r = unpack 'H*', pack 'B*', '0' x ( $size % 8 ? 8 - $size % 8 : 0 ) .
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel





[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux