732642 – <dev-perl/Crypt-Random-Source-0.140.0: Weak random provider removed

Bug 732642 - <dev-perl/Crypt-Random-Source-0.140.0: Weak random provider removed

Summary: <dev-perl/Crypt-Random-Source-0.140.0: Weak random provider removed

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2020-07-14 21:22 UTC by Sam James
Modified:	2021-06-02 13:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	No

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-07-14 21:22:02 UTC

From https://gitweb.gentoo.org/repo/gentoo.git/commit?id=c0aaf46b750b10842f1436cb5d334c53004b71ff:

"Upstream:
- Remove backend Weak::rand due to poor quality entropy"

We should see if anybody was using this backend (or any other weak backends in this package) and act accordingly.

Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2020-07-14 23:55:21 UTC

By the removal of the backend, it means code that explicitly tries to use that backend will break, and code that doesn't explicitly try to use that backend, will not break, and won't get bad randomness.

So I don't think this warrants SEC attention, beyond "stablize, get rid of old versions, make sure no rev-deps break"

Comment 2 Sam James archtester

2020-07-14 23:57:52 UTC

(In reply to Kent Fredric (IRC: kent\n) from comment #1)
> By the removal of the backend, it means code that explicitly tries to use
> that backend will break, and code that doesn't explicitly try to use that
> backend, will not break, and won't get bad randomness.
> 
> So I don't think this warrants SEC attention, beyond "stablize, get rid of
> old versions, make sure no rev-deps break"

Okay, sure. I was thinking of other possible consumers for other providers but that's really such a pandora's box.

Comment 3 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev

2020-07-15 09:16:34 UTC

Though, hmm.

https://metacpan.org/pod/Crypt::Random::Source#CAVEATS

> In versions prior to 0.13, rand could be used as a result of calling get_weak,
> or get, if no random device was available. This implies that not explicitly 
> asking for get_strong on a non POSIX operating system (e.g. Win32 without 
> the Win32 backend) could have resulted in non cryptographically random data.

But the only place I can see `get_weak` used on CPAN is this line:

https://metacpan.org/release/Crypt-Rijndael-PP/source/lib/Crypt/Rijndael/PP.pm#L101

And we don't ship this.

Comment 4 John Helmert III archtester

2021-01-06 08:45:10 UTC

Can we stable this now?

Comment 5 Sam James archtester

2021-01-27 22:44:19 UTC

amd64 done

Comment 6 Sam James archtester

2021-02-01 04:42:51 UTC

x86 done

all arches done

Comment 7 John Helmert III archtester

2021-02-01 04:55:52 UTC

Please cleanup, thanks!

Comment 8 Larry the Git Cow gentoo-dev

2021-05-08 13:04:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08625cc452d6994be9556fbdac6217d5d74e9282

commit 08625cc452d6994be9556fbdac6217d5d74e9282
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-05-08 13:04:11 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-05-08 13:04:11 +0000

    dev-perl/Crypt-Random-Source: Remove old
    
    Bug: https://bugs.gentoo.org/732642
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 .../Crypt-Random-Source-0.120.0.ebuild             | 36 ----------------------
 dev-perl/Crypt-Random-Source/Manifest              |  1 -
 2 files changed, 37 deletions(-)

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2021-06-02 13:21:18 UTC

Nothing left to do for us.