From 7de51c6a1411cff79ecc717925cb23be26ae15fd Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 1 Jul 2026 04:34:36 +0000 Subject: [PATCH 1/2] Patch perl-Bytes-Random-Secure for CVE-2026-11625 --- .../CVE-2026-11625.patch | 62 +++++++++++++++++++ .../perl-Bytes-Random-Secure.spec | 7 ++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 SPECS/perl-Bytes-Random-Secure/CVE-2026-11625.patch diff --git a/SPECS/perl-Bytes-Random-Secure/CVE-2026-11625.patch b/SPECS/perl-Bytes-Random-Secure/CVE-2026-11625.patch new file mode 100644 index 00000000000..591a1c4da58 --- /dev/null +++ b/SPECS/perl-Bytes-Random-Secure/CVE-2026-11625.patch @@ -0,0 +1,62 @@ +From 8ab588d439ed0647e984c025634c1a8ed494b222 Mon Sep 17 00:00:00 2001 +From: Robert Rothenberg +Date: Thu, 25 Jun 2026 14:43:11 +0100 +Subject: [PATCH] Fix for CVE-2026-11625 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/daoswald/Bytes-Random-Secure/pull/4.patch +--- + lib/Bytes/Random/Secure.pm | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/Bytes/Random/Secure.pm b/lib/Bytes/Random/Secure.pm +index 65fbfe2..5bd3714 100644 +--- a/lib/Bytes/Random/Secure.pm ++++ b/lib/Bytes/Random/Secure.pm +@@ -156,6 +156,7 @@ sub _build_attributes { + $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default; + } + ++ $self->{_pid} = $$; + $self->{_RNG} = undef; # Lazy initialization. + return $self; + } +@@ -171,6 +172,8 @@ sub _instantiate_rng { + my @seeds = $self->_generate_seed( %seed_opts ); + $self->{_RNG} = Math::Random::ISAAC->new(@seeds); + ++ $self->{_pid} = $$; ++ + return $self->{_RNG}; + } + +@@ -224,7 +227,7 @@ sub bytes { + $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes. + $self->_validate_int( $bytes ); # Throws on violation. + +- $self->_instantiate_rng unless defined $self->{_RNG}; ++ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; + + my $str = ''; + +@@ -302,7 +305,7 @@ sub _ranged_randoms { + $count = defined $count ? $count : 0; + + # Lazily seed the RNG so we don't waste available strong entropy. +- $self->_instantiate_rng unless defined $self->{_RNG}; ++ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; + + my $divisor = $self->_closest_divisor($range); + +@@ -354,7 +357,7 @@ sub _closest_divisor { + + sub irand { + my( $self ) = @_; +- $self->_instantiate_rng unless defined $self->{_RNG}; ++ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG}; + return $self->{_RNG}->irand; + } + +-- +2.45.4 + diff --git a/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec b/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec index 4f257308b88..ac34735d951 100644 --- a/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec +++ b/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec @@ -5,12 +5,13 @@ Summary: Perl extension to generate cryptographically-secure random bytes Name: perl-Bytes-Random-Secure Version: 0.29 -Release: 21%{?dist} +Release: 22%{?dist} License: GPL+ OR Artistic Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://metacpan.org/release/Bytes-Random-Secure Source0: https://cpan.metacpan.org/modules/by-module/Bytes/Bytes-Random-Secure-%{version}.tar.gz +Patch0: CVE-2026-11625.patch BuildArch: noarch BuildRequires: make @@ -68,6 +69,7 @@ object-oriented interface that provides much more flexibility. %prep %setup -q -n Bytes-Random-Secure-%{version} +%patch 0 -p1 %if !%{with perl_Bytes_Random_Secure_enables_optional_test} rm t/21-bytes_random_tests.t perl -i -ne 'print $_ unless m{^t/21-bytes_random_tests.t}' MANIFEST @@ -92,6 +94,9 @@ make test %{_mandir}/man3/* %changelog +* Wed Jul 01 2026 Azure Linux Security Servicing Account - 0.29-22 +- Patch for CVE-2026-11625 + * Tue May 31 2022 Pawel Winogrodzki - 0.29-21 - Initial CBL-Mariner import from Fedora 34 (license: MIT). - License verified. From 069743be3826c4aeec0c322eeee71c0232ecdbb1 Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Wed, 1 Jul 2026 16:25:50 +0530 Subject: [PATCH 2/2] Use autosetup for Bytes-Random-Secure spec Replaced manual setup and patch commands with autosetup. --- SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec b/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec index ac34735d951..7ede95806a9 100644 --- a/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec +++ b/SPECS/perl-Bytes-Random-Secure/perl-Bytes-Random-Secure.spec @@ -68,8 +68,7 @@ greater control over the random number generator's seeding, there is an object-oriented interface that provides much more flexibility. %prep -%setup -q -n Bytes-Random-Secure-%{version} -%patch 0 -p1 +%autosetup -p1 -n Bytes-Random-Secure-%{version} %if !%{with perl_Bytes_Random_Secure_enables_optional_test} rm t/21-bytes_random_tests.t perl -i -ne 'print $_ unless m{^t/21-bytes_random_tests.t}' MANIFEST