1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
|
From 5e9e51f574f7e64e8c014e9e4f00ee8fd87a5335 Mon Sep 17 00:00:00 2001
From: Stig Palmquist <git@stig.io>
Date: Sat, 1 Mar 2025 00:19:54 +0100
Subject: [PATCH] Use secure random source for salts
This commit replaces `rand()` as source for salts used in password
hashing with Crypt::URandom and Crypt::URandom::Token.
Fixes CVE-2025-27551 and CVE-2025-27552
---
cpanfile | 2 ++
lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm | 3 ++-
lib/DBIx/Class/EncodedColumn/Digest.pm | 3 ++-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/cpanfile b/cpanfile
index ffba3c4..5b4d849 100644
--- a/cpanfile
+++ b/cpanfile
@@ -2,6 +2,8 @@
requires 'DBIx::Class' => '0.06002';
requires 'Sub::Name' => '0.04';
requires 'Encode';
+requires 'Crypt::URandom';
+requires 'Crypt::URandom::Token';
recommends 'Digest';
recommends 'Digest::SHA';
diff --git a/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm b/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm
index 29eabd8..53dda70 100644
--- a/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm
+++ b/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm
@@ -3,6 +3,7 @@ package DBIx::Class::EncodedColumn::Crypt::Eksblowfish::Bcrypt;
use strict;
use warnings;
use Crypt::Eksblowfish::Bcrypt ();
+use Crypt::URandom qw( urandom );
use Encode qw(is_utf8 encode_utf8);
our $VERSION = '0.00001';
@@ -30,7 +31,7 @@ sub make_encode_sub {
$plain_text = encode_utf8($plain_text);
}
unless ( $settings_str ) {
- my $salt = join('', map { chr(int(rand(256))) } 1 .. 16);
+ my $salt = urandom(16);
$salt = Crypt::Eksblowfish::Bcrypt::en_base64( $salt );
$settings_str = $settings_base.$salt;
}
diff --git a/lib/DBIx/Class/EncodedColumn/Digest.pm b/lib/DBIx/Class/EncodedColumn/Digest.pm
index f00931e..26f30ad 100644
--- a/lib/DBIx/Class/EncodedColumn/Digest.pm
+++ b/lib/DBIx/Class/EncodedColumn/Digest.pm
@@ -4,6 +4,7 @@ use strict;
use warnings;
use Digest;
use Encode qw( str2bytes );
+use Crypt::URandom::Token qw( urandom_token );
our $VERSION = '0.00001';
@@ -49,7 +50,7 @@ sub make_encode_sub {
my $encoder = sub {
my ($plain_text, $salt) = @_;
$plain_text = str2bytes($encode, $plain_text, Encode::FB_PERLQQ | Encode::LEAVE_SRC) if $encode;
- $salt ||= join('', map { $salt_pool[int(rand(65))] } 1 .. $slen);
+ $salt ||= $slen ? urandom_token($slen, \@salt_pool) : "";
$object->reset()->add($plain_text.$salt);
my $digest = $object->$format_method;
#print "${plain_text}\t ${salt}:\t${digest}${salt}\n" if $salt;
--
2.49.0
|