oss-sec mailing list archives

CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 05 Oct 2011 14:03:19 +0200

Hello Josh, Steve, vendors,

  it has been reported that Crypt::DSA, a Perl module for DSA
signatures and key generation, used cryptographically weak / insecure
method for random numbers generation on systems, where /dev/random file
was not present. Due this flaw an attacker could be able to discover
some portions of / whole secret DSA key, which has been created on such
system.

References:
[1] http://secunia.com/advisories/46275/
[2] https://rt.cpan.org/Public/Bug/Display.html?id=71421
[3] https://bugzilla.redhat.com/show_bug.cgi?id=743567

Proposed upstream patch is to remove the affected fallback code part:
[4] https://rt.cpan.org/Public/Bug/Display.html?id=71421#txn-984052
    (though not approved yet)

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random Jan Lieskovsky (Oct 05)
- Re: CVE Request -- perl-Crypt-DSA -- Cryptographically insecure method used for random numbers generation on systems without /dev/random Josh Bressers (Oct 05)