Bug#1101746: bookworm-pu: package libdata-entropy-perl/0.007-4+deb12u1

Adrian Bunk bunk at debian.org
Mon Mar 31 13:30:52 BST 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>, security at debian.org

  * CVE-2025-1860: rand() function was used as default source of entropy

Tagged moreinfo, as question to the security team whether they want
this in -pu or as DSA.
-------------- next part --------------
diffstat for libdata-entropy-perl-0.007 libdata-entropy-perl-0.007

 changelog                                                       |    7 +
 control                                                         |    2 
 patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch |   56 ++++++++++
 patches/series                                                  |    1 
 4 files changed, 66 insertions(+)

diff -Nru libdata-entropy-perl-0.007/debian/changelog libdata-entropy-perl-0.007/debian/changelog
--- libdata-entropy-perl-0.007/debian/changelog	2022-06-13 00:59:30.000000000 +0300
+++ libdata-entropy-perl-0.007/debian/changelog	2025-03-31 12:22:57.000000000 +0300
@@ -1,3 +1,10 @@
+libdata-entropy-perl (0.007-4+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-1860: rand() function was used as default source of entropy
+
+ -- Adrian Bunk <bunk at debian.org>  Mon, 31 Mar 2025 12:22:57 +0300
+
 libdata-entropy-perl (0.007-4) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru libdata-entropy-perl-0.007/debian/control libdata-entropy-perl-0.007/debian/control
--- libdata-entropy-perl-0.007/debian/control	2022-06-13 00:59:30.000000000 +0300
+++ libdata-entropy-perl-0.007/debian/control	2025-03-31 12:22:57.000000000 +0300
@@ -7,6 +7,7 @@
 Priority: optional
 Build-Depends: debhelper-compat (= 13), libmodule-build-perl
 Build-Depends-Indep: libcrypt-rijndael-perl,
+                     libcrypt-urandom-perl,
                      libdata-float-perl,
                      libhttp-lite-perl,
                      libparams-classify-perl,
@@ -23,6 +24,7 @@
 Depends: ${misc:Depends},
          ${perl:Depends},
          libcrypt-rijndael-perl,
+         libcrypt-urandom-perl,
          libdata-float-perl,
          libhttp-lite-perl,
          libparams-classify-perl
diff -Nru libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch
--- libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch	1970-01-01 02:00:00.000000000 +0200
+++ libdata-entropy-perl-0.007/debian/patches/0001-Use-Crypt-URandom-to-seed-the-default-source.patch	2025-03-31 12:22:23.000000000 +0300
@@ -0,0 +1,56 @@
+From a47d906d1d56a1a383150f048ef9d96b1ff10bd1 Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <rrwo at cpan.org>
+Date: Thu, 27 Mar 2025 17:59:27 +0000
+Subject: Use Crypt::URandom to seed the default source
+
+---
+ Build.PL            |  1 +
+ lib/Data/Entropy.pm | 13 +++----------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/Build.PL b/Build.PL
+index 5d39378..322b88d 100644
+--- a/Build.PL
++++ b/Build.PL
+@@ -27,6 +27,7 @@ Module::Build->new(
+ 	requires => {
+ 		"Carp" => 0,
+ 		"Crypt::Rijndael" => 0,
++		"Crypt::URandom" => 0.36,
+ 		"Data::Float" => "0.008",
+ 		"Errno" => "1.00",
+ 		"Exporter" => 0,
+diff --git a/lib/Data/Entropy.pm b/lib/Data/Entropy.pm
+index 13ce92f..610db45 100644
+--- a/lib/Data/Entropy.pm
++++ b/lib/Data/Entropy.pm
+@@ -27,12 +27,7 @@ avoiding the need to explicitly configure a source at all.
+ 
+ If nothing is done to set a source then it defaults to the use of Rijndael
+ (AES) in counter mode (see L<Data::Entropy::RawSource::CryptCounter>
+-and L<Crypt::Rijndael>), keyed using Perl's built-in C<rand> function.
+-This gives a data stream that looks like concentrated entropy, but really
+-only has at most the entropy of the C<rand> seed.  Within a single run it
+-is cryptographically difficult to detect the correlation between parts
+-of the pseudo-entropy stream.  If more true entropy is required then it
+-is necessary to configure a different entropy source.
++and L<Crypt::Rijndael>), keyed using L<Crypt::URandom>.
+ 
+ =cut
+ 
+@@ -75,10 +70,8 @@ sub entropy_source() {
+ 	}
+ 	unless(defined $entropy_source) {
+ 		unless(defined $default_entropy_source) {
+-			my $key = "";
+-			for(my $i = 32; $i--; ) {
+-				$key .= chr(int(CORE::rand(256)));
+-			}
++			require Crypt::URandom;
++			my $key = Crypt::URandom::urandom(32);
+ 			require Crypt::Rijndael;
+ 			require Data::Entropy::RawSource::CryptCounter;
+ 			require Data::Entropy::Source;
+-- 
+2.30.2
+
diff -Nru libdata-entropy-perl-0.007/debian/patches/series libdata-entropy-perl-0.007/debian/patches/series
--- libdata-entropy-perl-0.007/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ libdata-entropy-perl-0.007/debian/patches/series	2025-03-31 12:22:57.000000000 +0300
@@ -0,0 +1 @@
+0001-Use-Crypt-URandom-to-seed-the-default-source.patch

More information about the pkg-perl-maintainers mailing list