Bug#1139698: trixie-pu: package libcrypt-urandom-perl/0.54-1+deb13u1

[Adrian Bunk]

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libcrypt-urandom-perl at packages.debian.org, security at debian.org
Control: affects -1 + src:libcrypt-urandom-perl
User: release.debian.org at packages.debian.org
Usertags: pu

  * CVE-2026-2474: heap buffer overflow in crypt_urandom_getrandom()
-------------- next part --------------
diffstat for libcrypt-urandom-perl-0.54 libcrypt-urandom-perl-0.54

 changelog                                |    7 ++++
 patches/0001-Fix-for-CVE-2026-2474.patch |   48 +++++++++++++++++++++++++++++++
 patches/series                           |    1 
 3 files changed, 56 insertions(+)

diff -Nru libcrypt-urandom-perl-0.54/debian/changelog libcrypt-urandom-perl-0.54/debian/changelog
--- libcrypt-urandom-perl-0.54/debian/changelog	2025-03-23 01:32:16.000000000 +0200
+++ libcrypt-urandom-perl-0.54/debian/changelog	2026-06-11 16:02:53.000000000 +0300
@@ -1,3 +1,10 @@
+libcrypt-urandom-perl (0.54-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-2474: heap buffer overflow in crypt_urandom_getrandom()
+
+ -- Adrian Bunk <bunk at debian.org>  Thu, 11 Jun 2026 16:02:53 +0300
+
 libcrypt-urandom-perl (0.54-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch
--- libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch	1970-01-01 02:00:00.000000000 +0200
+++ libcrypt-urandom-perl-0.54/debian/patches/0001-Fix-for-CVE-2026-2474.patch	2026-06-11 14:29:19.000000000 +0300
@@ -0,0 +1,48 @@
+From 8e985a5137a789f281ab3c8004be832cfa46aec3 Mon Sep 17 00:00:00 2001
+From: David Dick <ddick at cpan.org>
+Date: Tue, 17 Feb 2026 06:58:54 +1100
+Subject: Fix for CVE-2026-2474
+
+---
+ URandom.xs | 3 +++
+ t/rand.t   | 9 ++++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/URandom.xs b/URandom.xs
+index c39dc3b..7c57d22 100644
+--- a/URandom.xs
++++ b/URandom.xs
+@@ -38,6 +38,9 @@ crypt_urandom_getrandom(length)
+         char *data;
+         int result;
+     CODE:
++        if (length < 0) {
++            croak("The length argument cannot be less than 0");
++        }
+         Newx(data, length + 1u, char);
+       GETRANDOM:
+ #ifdef HAVE_CRYPT_URANDOM_NATIVE_GETRANDOM
+diff --git a/t/rand.t b/t/rand.t
+index 5b81fe9..98b918d 100644
+--- a/t/rand.t
++++ b/t/rand.t
+@@ -1,4 +1,4 @@
+-use Test::More tests => 10;
++use Test::More tests => 11;
+ use Crypt::URandom();
+ 
+ foreach my $correct (qw(500000 500 50)) {
+@@ -38,3 +38,10 @@ eval {
+ };
+ chomp $@;
+ ok($exception_thrown, "Correctly throws exception with non integer parameter:$@");
++$exception_thrown = 1;
++eval {
++	Crypt::URandom::getrandom(-1);
++	$exception_thrown = 0;
++};
++chomp $@;
++ok($exception_thrown, "getrandom correctly throws exception with less than zero parameter:$@");
+-- 
+2.47.3
+
diff -Nru libcrypt-urandom-perl-0.54/debian/patches/series libcrypt-urandom-perl-0.54/debian/patches/series
--- libcrypt-urandom-perl-0.54/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ libcrypt-urandom-perl-0.54/debian/patches/series	2026-06-11 16:02:53.000000000 +0300
@@ -0,0 +1 @@
+0001-Fix-for-CVE-2026-2474.patch