File: CVE-2025-40920.patch

package info (click to toggle)
libcatalyst-authentication-credential-http-perl 1.018-4
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 404 kB
  • sloc: perl: 656; makefile: 2
file content (75 lines) | stat: -rw-r--r-- 2,359 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
From ad2c03aad95406db4ce35dfb670664ebde004c18 Mon Sep 17 00:00:00 2001
From: Robert Rothenberg <rrwo@cpan.org>
Date: Sun, 3 Aug 2025 14:18:20 +0100
Subject: [PATCH] Use Crypt::SysRandom to generate nonces instead of Data::UUID

The nonce should be generated from a strong cryptographic source as per
RFC 7616.

Data::UUID generates v3 UUIDs, which are generated from known
information and are unsuitable for security, as per RFC 9562.

Data::UUID does not use a strong cryptographic source for generating
UUIDs.


Bug: https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1
Origin: https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1
Bug-Debian: https://bugs.debian.org/1110887
CVE: https://security-tracker.debian.org/tracker/CVE-2025-40920

---
 dist.ini                                       |  1 +
 lib/Catalyst/Authentication/Credential/HTTP.pm | 13 ++++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/dist.ini b/dist.ini
index 2f66a7f..ad07ae5 100644
--- a/dist.ini
+++ b/dist.ini
@@ -22,6 +22,7 @@ StaticInstall.dry_run = 0   ; we can safely set this here
 
 [Prereqs]
 Catalyst::Plugin::Authentication = 0.10005
+Crypt::SysRandom = 0
 
 [Prereqs / DevelopRequires]
 Test::WWW::Mechanize::Catalyst = 0.51
diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm
index c139ee2..8ceb0ae 100644
--- a/lib/Catalyst/Authentication/Credential/HTTP.pm
+++ b/lib/Catalyst/Authentication/Credential/HTTP.pm
@@ -380,7 +380,9 @@ package # hide from PAUSE
 
 use strict;
 use base qw[ Class::Accessor::Fast ];
-use Data::UUID 0.11 ();
+use Crypt::SysRandom;
+
+# RECOMMEND PRERQ: Crypt::SysRandom::XS 0.009
 
 __PACKAGE__->mk_accessors(qw[ nonce nonce_count qop opaque algorithm ]);
 
@@ -388,8 +390,8 @@ sub new {
     my $class = shift;
     my $self  = $class->SUPER::new(@_);
 
-    $self->nonce( Data::UUID->new->create_b64 );
-    $self->opaque( Data::UUID->new->create_b64 );
+    $self->nonce( $self->_generate_nonce );
+    $self->opaque( $self->_generate_nonce );
     $self->qop('auth,auth-int');
     $self->nonce_count('0x0');
     $self->algorithm('MD5');
@@ -397,6 +399,11 @@ sub new {
     return $self;
 }
 
+sub _generate_nonce {
+    return unpack('H*', Crypt::SysRandom::random_bytes(20));
+}
+
+
 1;
 
 __END__