File: 0001-Use-secure-random-source-for-salts.patch

package info (click to toggle)
libdbix-class-encodedcolumn-perl 0.00020-3
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 268 kB
  • sloc: perl: 618; sql: 48; makefile: 2
file content (73 lines) | stat: -rw-r--r-- 2,676 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
From 5e9e51f574f7e64e8c014e9e4f00ee8fd87a5335 Mon Sep 17 00:00:00 2001
From: Stig Palmquist <git@stig.io>
Date: Sat, 1 Mar 2025 00:19:54 +0100
Subject: [PATCH] Use secure random source for salts

This commit replaces `rand()` as source for salts used in password
hashing with Crypt::URandom and Crypt::URandom::Token.

Fixes CVE-2025-27551 and CVE-2025-27552
---
 cpanfile                                                 | 2 ++
 lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm | 3 ++-
 lib/DBIx/Class/EncodedColumn/Digest.pm                   | 3 ++-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cpanfile b/cpanfile
index ffba3c4..5b4d849 100644
--- a/cpanfile
+++ b/cpanfile
@@ -2,6 +2,8 @@
 requires 'DBIx::Class' => '0.06002';
 requires 'Sub::Name' => '0.04';
 requires 'Encode';
+requires 'Crypt::URandom';
+requires 'Crypt::URandom::Token';
 
 recommends 'Digest';
 recommends 'Digest::SHA';
diff --git a/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm b/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm
index 29eabd8..53dda70 100644
--- a/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm
+++ b/lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm
@@ -3,6 +3,7 @@ package DBIx::Class::EncodedColumn::Crypt::Eksblowfish::Bcrypt;
 use strict;
 use warnings;
 use Crypt::Eksblowfish::Bcrypt ();
+use Crypt::URandom qw( urandom );
 use Encode qw(is_utf8 encode_utf8);
 
 our $VERSION = '0.00001';
@@ -30,7 +31,7 @@ sub make_encode_sub {
       $plain_text = encode_utf8($plain_text);
     }
     unless ( $settings_str ) {
-      my $salt = join('', map { chr(int(rand(256))) } 1 .. 16);
+      my $salt = urandom(16);
       $salt = Crypt::Eksblowfish::Bcrypt::en_base64( $salt );
       $settings_str =  $settings_base.$salt;
     }
diff --git a/lib/DBIx/Class/EncodedColumn/Digest.pm b/lib/DBIx/Class/EncodedColumn/Digest.pm
index f00931e..26f30ad 100644
--- a/lib/DBIx/Class/EncodedColumn/Digest.pm
+++ b/lib/DBIx/Class/EncodedColumn/Digest.pm
@@ -4,6 +4,7 @@ use strict;
 use warnings;
 use Digest;
 use Encode qw( str2bytes );
+use Crypt::URandom::Token qw( urandom_token );
 
 our $VERSION = '0.00001';
 
@@ -49,7 +50,7 @@ sub make_encode_sub {
   my $encoder = sub {
     my ($plain_text, $salt) = @_;
     $plain_text = str2bytes($encode, $plain_text,  Encode::FB_PERLQQ | Encode::LEAVE_SRC) if $encode;
-    $salt ||= join('', map { $salt_pool[int(rand(65))] } 1 .. $slen);
+    $salt ||= $slen ? urandom_token($slen, \@salt_pool) : "";
     $object->reset()->add($plain_text.$salt);
     my $digest = $object->$format_method;
     #print "${plain_text}\t ${salt}:\t${digest}${salt}\n" if $salt;
-- 
2.49.0