Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 91414

Summary: dev-perl/Net-SSLeay: Entropy Source Manipulation
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: perl
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/15207/
Whiteboard:
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-05-04 04:57:17 UTC 
Description:
Javier Fernandez-Sanguino Pena has reported a vulnerability in the Net::SSLeay module for Perl, which can be exploited by malicious, local users to weaken certain cryptographic operations.

The vulnerability is caused due an error where the entropy source is improperly taken from a temporary file if the "EGD_PATH" environment variable is not defined. This can be exploited to weaken certain cryptographic operations via a "/tmp/entropy" file with known contents.

Solution:
Set the "EGD_PATH" environment variable.

Provided and/or discovered by:
Javier Fernandez-Sanguino Pena

Original Advisory:
http://www.ubuntulinux.org/support/documentation/usn/usn-113-1
Comment 1 Michael Cummings (RETIRED) gentoo-dev 2005-05-04 07:30:45 UTC 
Haven't we already discussed this one - and it was moot because we don't use/provide egd?
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-04 08:30:43 UTC 
Old comment from mcummings:

"No such beast in our tree (EGD that is) - it's a perl implementation to mimic /dev/random for systems that don't have one (http://egd.sourceforge.net/) - but since in Gentoo land we all have one (and those ports of portage folks -  mac and bsd - haven't said anything if they don't) it hasn't/isn't an issue. I'd say this is nice, but not applicable."

So I'm closing this as INVALID. If anyone disagree please feel to reopen.