Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 386595 (CVE-2011-3599) - dev-perl/crypt-dsa: Insecure random number generation (CVE-2011-3599)
Summary: dev-perl/crypt-dsa: Insecure random number generation (CVE-2011-3599)
Status: RESOLVED WONTFIX
Alias: CVE-2011-3599
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46275/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-10 00:18 UTC by Tim Sammut (RETIRED)
Modified: 2014-03-15 06:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-10-10 00:18:55 UTC 
From the third-party advisory at $URL:

Description

A security issue has been reported in the Crypt-DSA module for Perl, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the module using a cryptographically insecure method to generate random numbers when "/dev/random" is not available, which can lead to cryptographically weak keys.

Successful exploitation requires that "/dev/random" is not available (e.g. running on a Windows system).

The security issue is reported in version 1.17. Other versions may also be affected.
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-10 10:04:12 UTC 
Tim, imho linux is not affected, because there is /dev/random. What do you think about?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 16:40:07 UTC 
CVE-2011-3599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3599):
  The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when
  /dev/random is absent, uses the Data::Random module, which makes it easier
  for remote attackers to spoof a signature, or determine the signing key of a
  signed message, via a brute-force attack.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-10-11 22:22:07 UTC 
(In reply to comment #1)
> Tim, imho linux is not affected, because there is /dev/random. What do you
> think about?

No idea. ;) @perl?
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2013-08-22 09:51:52 UTC 
How about asking Prefix? IIRC they have some windows prefix, maybe they will be affected?
Comment 5 Sergey Popov (RETIRED) gentoo-dev 2013-08-22 09:58:44 UTC 
Sorry for bugspam, @prefix, package has no windows-related keywords

So, @perl - your turn :-)
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-03-15 06:35:56 UTC 
I'd say it is not actual for us