Bug #71421 for Crypt-DSA: Systems without /dev/random may leak secret key

Mon Oct 03 14:33:26 2011 H.LiebermanBerg [...] gmail.com - Ticket created

Subject:

Systems without /dev/random may leak secret key

As taught by the '09 Debian PGP disaster relating to DSA, the randomness source is extremely important. On systems without /dev/random, Crypt::DSA falls back to using Data::Random. Data::Random uses rand(), about which the perldoc says "rand() is not cryptographically secure. You should not rely on it in security-sensitive situations." In the case of DSA, this is even worse. Using improperly secure randomness sources can compromise the signing key upon signature of a message. See: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ I will provide a patch to disable this fallback. Bug 21968 should be closed as INVALID. Sincerely, Harlan Lieberman-Berg

Mon Oct 03 14:42:58 2011 H.LiebermanBerg [...] gmail.com - Correspondence added

From:

H.LiebermanBerg [...] gmail.com

Patch is attached. Best, -Harlan

Subject:

remove-fallback.patch

Description: Remove the ability to fall back to Data::Random Forwarded: yes Bug: https://rt.cpan.org/Public/Bug/Display.html?id=71421 Author: Harlan Lieberman-Berg <H.LiebermanBerg@gmail.com> --- a/lib/Crypt/DSA/Util.pm +++ b/lib/Crypt/DSA/Util.pm @@ -64,11 +64,8 @@ } close $fh; } - elsif ( require Data::Random ) { - $r .= Data::Random::rand_chars( set=>'numeric' ) for 1..$bytes; - } else { - croak "makerandom requires /dev/random or Data::Random"; + croak "makerandom requires /dev/random"; } my $down = $size - 1; $r = unpack 'H*', pack 'B*', '0' x ( $size % 8 ? 8 - $size % 8 : 0 ) .

Mon Aug 19 05:09:54 2013 paul [...] city-fan.org - Correspondence added

From:

paul [...] city-fan.org

This issue has been assigned CVE reference CVE-2011-3599

Mon Aug 19 05:09:54 2013 The RT System itself - Status changed from 'new' to 'open'

Wed Sep 25 14:52:28 2013 TODDR [...] cpan.org - Correspondence added

I bumped Adam about getting a release out on this CVE.