There is a 13 year old CVE for the CPAN perl module Crypt::DSA
which is used as part of Crypt::OpenPGP
.
I found it this morning and reported it, to get a reply that a CVE was assigned in 2011 and a patch offered in 2013 but the module has been abandoned by the author and the unpatched version is still on CPAN.
https://rt.cpan.org/Public/Bug/Display.html?id=71421
The flaw only affects platforms without /dev/random
and the 2013 offered patch is to just break the module completely for platforms without /dev/random
.
Given that Module::Build
recommends Module::Signature
which needs Crypt::OpenPGP
that in turn needs Crypt::DSA
it bothers me a bit that the insecure version is still on CPAN and that the only patch I can find breaks Crypt::DSA
on Windows and other platforms without /dev/random
.
A) Would an actual perl coder with access to a Windows environment for testing mind patching the module to use something like Bytes::Random::Secure
that is cryptograpgic quality yet also works on platforms without /dev/random
? Honestly I don't even see a need for Crypt::DSA
to access /dev/random
itself, it should call another plattform-independent library desined to spit out random bytes to get the random bytes it needs.
B) Why is it that a module with a known flaw over 10 years old is still completely unfixed on CPAN, and is there a collection of patches for such issues somewhere that I don't know about that people use to patch old distributions on CPAN that are abandoned but are still needed but have security issues?
submitted by /u/AnymooseProphet
[link] [comments]