Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions SPECS/perl-Bytes-Random-Secure/CVE-2026-11625.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
From 8ab588d439ed0647e984c025634c1a8ed494b222 Mon Sep 17 00:00:00 2001
From: Robert Rothenberg <perl@rhizomnic.com>
Date: Thu, 25 Jun 2026 14:43:11 +0100
Subject: [PATCH] Fix for CVE-2026-11625

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/daoswald/Bytes-Random-Secure/pull/4.patch
---
lib/Bytes/Random/Secure.pm | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/Bytes/Random/Secure.pm b/lib/Bytes/Random/Secure.pm
index 65fbfe2..5bd3714 100644
--- a/lib/Bytes/Random/Secure.pm
+++ b/lib/Bytes/Random/Secure.pm
@@ -156,6 +156,7 @@ sub _build_attributes {
$self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default;
}

+ $self->{_pid} = $$;
$self->{_RNG} = undef; # Lazy initialization.
return $self;
}
@@ -171,6 +172,8 @@ sub _instantiate_rng {
my @seeds = $self->_generate_seed( %seed_opts );
$self->{_RNG} = Math::Random::ISAAC->new(@seeds);

+ $self->{_pid} = $$;
+
return $self->{_RNG};
}

@@ -224,7 +227,7 @@ sub bytes {
$bytes = defined $bytes ? $bytes : 0; # Default to zero bytes.
$self->_validate_int( $bytes ); # Throws on violation.

- $self->_instantiate_rng unless defined $self->{_RNG};
+ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};

my $str = '';

@@ -302,7 +305,7 @@ sub _ranged_randoms {
$count = defined $count ? $count : 0;

# Lazily seed the RNG so we don't waste available strong entropy.
- $self->_instantiate_rng unless defined $self->{_RNG};
+ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};

my $divisor = $self->_closest_divisor($range);

@@ -354,7 +357,7 @@ sub _closest_divisor {

sub irand {
my( $self ) = @_;
- $self->_instantiate_rng unless defined $self->{_RNG};
+ $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
return $self->{_RNG}->irand;
}

--
2.45.4

Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,13 @@
Summary: Perl extension to generate cryptographically-secure random bytes
Name: perl-Bytes-Random-Secure
Version: 0.29
Release: 21%{?dist}
Release: 22%{?dist}
License: GPL+ OR Artistic
Vendor: Microsoft Corporation
Distribution: Azure Linux
URL: https://metacpan.org/release/Bytes-Random-Secure
Source0: https://cpan.metacpan.org/modules/by-module/Bytes/Bytes-Random-Secure-%{version}.tar.gz
Patch0: CVE-2026-11625.patch
BuildArch: noarch

BuildRequires: make
Expand Down Expand Up @@ -67,7 +68,7 @@ greater control over the random number generator's seeding, there is an
object-oriented interface that provides much more flexibility.

%prep
%setup -q -n Bytes-Random-Secure-%{version}
%autosetup -p1 -n Bytes-Random-Secure-%{version}
%if !%{with perl_Bytes_Random_Secure_enables_optional_test}
rm t/21-bytes_random_tests.t
perl -i -ne 'print $_ unless m{^t/21-bytes_random_tests.t}' MANIFEST
Expand All @@ -92,6 +93,9 @@ make test
%{_mandir}/man3/*

%changelog
* Wed Jul 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.29-22
- Patch for CVE-2026-11625

* Tue May 31 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.29-21
- Initial CBL-Mariner import from Fedora 34 (license: MIT).
- License verified.
Expand Down
Loading