Skip to main content


There is a 13 year old CVE for the CPAN perl module Crypt::DSA which is used as part of Crypt::OpenPGP.

I found it this morning and reported it, to get a reply that a CVE was assigned in 2011 and a patch offered in 2013 but the module has been abandoned by the author and the unpatched version is still on CPAN.

https://rt.cpan.org/Public/Bug/Display.html?id=71421

The flaw only affects platforms without /dev/random and the 2013 offered patch is to just break the module completely for platforms without /dev/random.

Given that Module::Build recommends Module::Signature which needs Crypt::OpenPGP that in turn needs Crypt::DSA it bothers me a bit that the insecure version is still on CPAN and that the only patch I can find breaks Crypt::DSA on Windows and other platforms without /dev/random.

A) Would an actual perl coder with access to a Windows environment for testing mind patching the module to use something like Bytes::Random::Secure that is cryptograpgic quality yet also works on platforms without /dev/random? Honestly I don't even see a need for Crypt::DSA to access /dev/random itself, it should call another plattform-independent library desined to spit out random bytes to get the random bytes it needs.

B) Why is it that a module with a known flaw over 10 years old is still completely unfixed on CPAN, and is there a collection of patches for such issues somewhere that I don't know about that people use to patch old distributions on CPAN that are abandoned but are still needed but have security issues?

submitted by /u/AnymooseProphet
[link] [comments]