Bug#1140807: trixie-pu: package libbytes-random-secure-perl/0.29-4~deb13u1

Salvatore Bonaccorso carnil at debian.org
Fri Jun 26 20:07:12 BST 2026


Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: libbytes-random-secure-perl at packages.debian.org, team at security.debian.org, debian-perl at lists.debian.org, gregoa at debian.org, carnil at debian.org
Control: affects -1 + src:libbytes-random-secure-perl
User: release.debian.org at packages.debian.org
Usertags: pu

Hi SRMers

[ Reason ]
libbytes-random-secure-perl is affected by CVE-2026-11625, that were
an object is initialised before forking, or when the functional
interface is used, then the internal state for the PRNG is shared
across processes and identical random streams will be produced.

[ Impact ]
Secrets generated in multiprocess applications are predictable across
processes.

[ Tests ]
Running test suite and done a debusine upload as well as
https://debusine.debian.net/debian/developers/work-request/894383/

[ Risks ]
The upstream pull request is not yet merged, but the patch referenced
in the CPAN security advisory and taken from there.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
> fix for this will save the current PID when the object is created,
> and then (in the bytes method) call instantiate_rng unless the PID
> is the same.

[ Other info ]
Nothing special.

Regards,
Salvatore
-------------- next part --------------
diff -Nru libbytes-random-secure-perl-0.29/debian/changelog libbytes-random-secure-perl-0.29/debian/changelog
--- libbytes-random-secure-perl-0.29/debian/changelog	2022-12-08 12:41:21.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/changelog	2026-06-26 18:32:02.000000000 +0000
@@ -1,3 +1,16 @@
+libbytes-random-secure-perl (0.29-4~deb13u1) trixie; urgency=medium
+
+  * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 26 Jun 2026 20:32:02 +0200
+
+libbytes-random-secure-perl (0.29-4) unstable; urgency=medium
+
+  * Team upload.
+  * Fix incorrect usage of seed in PRNG (CVE-2026-11625)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 26 Jun 2026 17:27:21 +0200
+
 libbytes-random-secure-perl (0.29-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch
--- libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch	1970-01-01 00:00:00.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/patches/CVE-2026-11625-r1.patch	2026-06-26 18:32:02.000000000 +0000
@@ -0,0 +1,57 @@
+From 20828ef859e215565ba17a9a24af3a42b0c4360a Mon Sep 17 00:00:00 2001
+From: Robert Rothenberg <perl at rhizomnic.com>
+Date: Thu, 25 Jun 2026 14:43:11 +0100
+Subject: [PATCH] Fix for CVE-2026-11625
+
+---
+ lib/Bytes/Random/Secure.pm | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/lib/Bytes/Random/Secure.pm b/lib/Bytes/Random/Secure.pm
+index 65fbfe2..5bd3714 100644
+--- a/lib/Bytes/Random/Secure.pm
++++ b/lib/Bytes/Random/Secure.pm
+@@ -156,6 +156,7 @@ sub _build_attributes {
+       $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default;
+     }
+ 
++    $self->{_pid} = $$;
+     $self->{_RNG} = undef;    # Lazy initialization.
+     return $self;
+ }
+@@ -171,6 +172,8 @@ sub _instantiate_rng {
+     my @seeds = $self->_generate_seed( %seed_opts );
+     $self->{_RNG} = Math::Random::ISAAC->new(@seeds);
+ 
++    $self->{_pid} = $$;
++
+     return $self->{_RNG};
+ }
+ 
+@@ -224,7 +227,7 @@ sub bytes {
+   $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes.
+   $self->_validate_int( $bytes ); # Throws on violation.
+ 
+-  $self->_instantiate_rng unless defined $self->{_RNG};
++  $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+ 
+   my $str = '';
+ 
+@@ -302,7 +305,7 @@ sub _ranged_randoms {
+     $count = defined $count ? $count : 0;
+ 
+     # Lazily seed the RNG so we don't waste available strong entropy.
+-    $self->_instantiate_rng unless defined $self->{_RNG};
++    $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+ 
+     my $divisor = $self->_closest_divisor($range);
+ 
+@@ -354,7 +357,7 @@ sub _closest_divisor {
+ 
+ sub irand {
+   my( $self ) = @_;
+-  $self->_instantiate_rng unless defined $self->{_RNG};
++  $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
+   return $self->{_RNG}->irand;
+ }
+ 
diff -Nru libbytes-random-secure-perl-0.29/debian/patches/series libbytes-random-secure-perl-0.29/debian/patches/series
--- libbytes-random-secure-perl-0.29/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libbytes-random-secure-perl-0.29/debian/patches/series	2026-06-26 18:32:02.000000000 +0000
@@ -0,0 +1 @@
+CVE-2026-11625-r1.patch


More information about the pkg-perl-maintainers mailing list