mirrors/gentoo-ebuilds
3
0
Fork 0
mirror of https://anongit.gentoo.org/git/repo/gentoo.git synced 2025-12-18 08:02:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
gentoo-ebuilds/dev-perl/Authen-SASL/files/Authen-SASL-2.180.0_CVE-2025-40918-r1.patch
Hank Leininger 6a616af29c
 dev-perl/Authen-SASL: fix CVE-2025-40918 
Note that this (temporarily?) drops a lot of arches because upstream's
fix adds a new dependency on dev-perl/Crypt-URandom which currently has
very limited keywords.

Bug: https://bugs.gentoo.org/960293
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Part-of: https://github.com/gentoo/gentoo/pull/43043
Closes: https://github.com/gentoo/gentoo/pull/43043
Signed-off-by: Sam James <sam@gentoo.org>
2025-07-17 18:20:05 +01:00

43 lines
1.5 KiB
Diff
Raw Permalink Blame History

From https://github.com/robrwo/perl-Authen-SASL/tree/rrwo/CVE-2025-40918
diff --git a/README b/README
index d7f071b..d564346 100644
--- a/README
+++ b/README
@@ -19,6 +19,7 @@ build Authen::SASL:
* Digest::MD5
* JSON::PP
* Test::More (for running tests only)
+ * Crypt::URandom
* Digest::HMAC_MD5
* GSSAPI (optional; for Kerberos v5 support)
diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
index f089849..8c4a67a 100644
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5;
use strict;
use warnings;
use vars qw(@ISA $CNONCE $NONCE);
+use Crypt::URandom qw(urandom);
use Digest::MD5 qw(md5_hex md5);
use Digest::HMAC_MD5 qw(hmac_md5);
@@ -201,7 +202,7 @@ sub server_start {
$self->{need_step} = 1;
$self->{error} = undef;
- $self->{nonce} = md5_hex($NONCE || join (":", $$, time, rand));
+ $self->{nonce} = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16));
$self->init_sec_layer;
@@ -260,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials
my %response = (
nonce => $sparams{'nonce'},
- cnonce => md5_hex($CNONCE || join (":", $$, time, rand)),
+ cnonce => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)),
'digest-uri' => $self->service . '/' . $self->host,
# calc how often the server nonce has been seen; server expects "00000001"
nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}),
Reference in a new issue View git blame Copy permalink