Bug 11226 - perl-Crypt-DSA new security issue CVE-2011-3599
: perl-Crypt-DSA new security issue CVE-2011-3599
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/566719/
: MGA2TOO MGA2-32-OK MGA2-64-OK MGA3-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-09-13 18:16 CEST by David Walser
Modified: 2013-09-24 23:46 CEST (History)
4 users (show)

See Also:
Source RPM: perl-Crypt-DSA-1.170.0-2.mga3.src.rpm
CVE:


Attachments
perl script for testing perl-Crypt-DSA (502 bytes, text/plain)
2013-09-24 22:27 CEST, Dave Hodgins
Details

Description David Walser 2013-09-13 18:16:24 CEST
Fedora has issued an advisory on September 4:
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115603.html

Fedora patch to fix this issue:
http://pkgs.fedoraproject.org/cgit/perl-Crypt-DSA.git/plain/remove-fallback.patch?id=aadaaacc0620568258e1311124accebc22be8c83

Reproducible: 

Steps to Reproduce:
Comment 1 Sander Lepik 2013-09-24 13:49:11 CEST
I have uploaded patched packages for Mageia 2 and 3.

No idea how to test it.

Suggested advisory:
========================

The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determine the signing key of a signed message, via a brute-force attack.

This update removes the fallback to Data::Random.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599
http://lwn.net/Vulnerabilities/566719/
========================

Updated packages in core/updates_testing:
========================
Mageia 3:
perl-Crypt-DSA-1.170.0-2.1.mga3.noarch.rpm

Source RPM: 
perl-Crypt-DSA-1.170.0-2.1.mga3.src.rpm


Mageia 2:
perl-Crypt-DSA-1.170.0-1.1.mga2.noarch.rpm

Source RPM:
perl-Crypt-DSA-1.170.0-1.1.mga2.src.rpm
Comment 2 David Walser 2013-09-24 13:55:04 CEST
Thanks Sander!

Just making some minor formatting changes to the advisory.

Suggested advisory:
========================

The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when
/dev/random is absent, uses the Data::Random module, which makes it easier
for remote attackers to spoof a signature, or determine the signing key of
a signed message, via a brute-force attack (CVE-2011-3599).

This update removes the fallback to Data::Random.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3599
https://lists.fedoraproject.org/pipermail/package-announce/2013-September/115603.html
========================

Updated packages in core/updates_testing:
========================
perl-Crypt-DSA-1.170.0-1.1.mga2
perl-Crypt-DSA-1.170.0-2.1.mga3

Source RPMs:
perl-Crypt-DSA-1.170.0-1.1.mga2.src.rpm
perl-Crypt-DSA-1.170.0-2.1.mga3.src.rpm
Comment 3 Dave Hodgins 2013-09-24 20:38:08 CEST
Advisory 11226.adv committed to svn.
Comment 4 Dave Hodgins 2013-09-24 22:27:14 CEST
Created attachment 4373 [details]
perl script for testing perl-Crypt-DSA
Comment 5 Dave Hodgins 2013-09-24 22:33:07 CEST
Testing complete on Mageia 2 i586.

Before the update, after temporarily renaming /dev/random and /dev/urandom)
Script fails with Can't locate Data/Random.pm.

After the update it fails with makerandom requires /dev/random.
After renaming /dev/random and urandom back to normal, the script works.
Note that there is no output. Using strace output to verify it's working.

I'll test x86_64 and Mageia 3 shortly.
Comment 6 Dave Hodgins 2013-09-24 23:08:21 CEST
Testing complete.

Someone from the sysadmin team please push 11226.adv to updates.
Comment 7 Thomas Backlund 2013-09-24 23:46:19 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0289.html

Note You need to log in before you can comment on or make changes to this bug.