oss-sec mailing list archives

Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random

From: Josh Bressers <bressers () redhat com>
Date: Wed, 05 Oct 2011 15:23:53 -0400 (EDT)

Please use CVE-2011-3599 for this.

Thanks.

-- 
    JB

----- Original Message -----

Hello Josh, Steve, vendors,

   it has been reported that Crypt::DSA, a Perl module for DSA
signatures and key generation, used cryptographically weak / insecure
method for random numbers generation on systems, where /dev/random
file
was not present. Due this flaw an attacker could be able to discover
some portions of / whole secret DSA key, which has been created on
such
system.

References:
[1] http://secunia.com/advisories/46275/
[2] https://rt.cpan.org/Public/Bug/Display.html?id=71421
[3] https://bugzilla.redhat.com/show_bug.cgi?id=743567

Proposed upstream patch is to remove the affected fallback code part:
[4] https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052
     (though not approved yet)

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random Jan Lieskovsky (Oct 05)
- Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random Josh Bressers (Oct 05)