Bug#1092556: libcryptx-perl contains bundled copy of libtomcrypt and libtommath
Andrew Bartlett
abartlet at samba.org
Wed Jan 8 21:45:12 GMT 2025
Package: libcryptx-perl
Version: 0.077-1+b1
libperl-cryptx contains and builds a copy of libtomcrypt and libtommath
(Samba is in a similar boat, for libtommath via Heimdal, also
embedded).
Sadly per
https://groups.google.com/g/sci.crypt/c/Z7lVGM2wo2o/m/UfQpm0cdQRMJ from
https://github.com/libtom/libtomcrypt/issues/616 libtommath is no
longer being released, but it seems less than ideal to have two
diverging copies of the libtomcrypt and libtommath libraries in Debian,
and even more strange to have the perl bindings be ahead of the
'proper' library.
The perl library has experimental support for building against the
system package:
# EXPERIMENTAL: use system libraries libtomcrypt + libtommath
# e.g.
# CRYPTX_LDFLAGS='-L/usr/local/lib -ltommath -ltomcrypt'
CRYPTX_CFLAGS='-DLTM_DESC -I/usr/local/include' perl Makefile.PL
I realise that this coordination may be a lot of work sadly,
particularly as libcryptx-perl has the unreleased snapshots not in the
last libtommath. However it also has fixes for fix for CVE-2019-17362.
(I started on this because it was really hard to tell from a first
glance that libcryptx-perl 0.77 was not vulnerable to CVE-2019-17362)
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the pkg-perl-maintainers
mailing list