forked from perl/perl-Authen-SASL
Petr Gajdos
406b7a3ade
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-Authen-SASL?expand=0&rev=30
75 lines
2.8 KiB
Diff
75 lines
2.8 KiB
Diff
From 82e12b25963bd9d156a9006c9a0929f459b8536a Mon Sep 17 00:00:00 2001
|
|
From: Robert Rothenberg <rrwo@cpan.org>
|
|
Date: Thu, 10 Jul 2025 21:05:29 +0100
|
|
Subject: [PATCH 1/3] Generate cnonce and nonce from system randomness
|
|
|
|
This fixes CVE-2025-40918.
|
|
---
|
|
lib/Authen/SASL/Perl/DIGEST_MD5.pm | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
|
index f089849..44d2109 100644
|
|
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
|
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
|
@@ -10,6 +10,7 @@ package Authen::SASL::Perl::DIGEST_MD5;
|
|
use strict;
|
|
use warnings;
|
|
use vars qw(@ISA $CNONCE $NONCE);
|
|
+use Crypt::URandom qw(urandom);
|
|
use Digest::MD5 qw(md5_hex md5);
|
|
use Digest::HMAC_MD5 qw(hmac_md5);
|
|
|
|
@@ -201,7 +202,7 @@ sub server_start {
|
|
|
|
$self->{need_step} = 1;
|
|
$self->{error} = undef;
|
|
- $self->{nonce} = md5_hex($NONCE || join (":", $$, time, rand));
|
|
+ $self->{nonce} = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
|
|
|
|
$self->init_sec_layer;
|
|
|
|
@@ -260,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials
|
|
|
|
my %response = (
|
|
nonce => $sparams{'nonce'},
|
|
- cnonce => md5_hex($CNONCE || join (":", $$, time, rand)),
|
|
+ cnonce => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
|
|
'digest-uri' => $self->service . '/' . $self->host,
|
|
# calc how often the server nonce has been seen; server expects "00000001"
|
|
nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}),
|
|
|
|
From 1284e47c1715ad7d0a8dc07d72d9524ca0da3f17 Mon Sep 17 00:00:00 2001
|
|
From: Robert Rothenberg <rrwo@cpan.org>
|
|
Date: Wed, 16 Jul 2025 19:59:42 +0100
|
|
Subject: [PATCH 2/3] Add whitespace before conditional operator
|
|
|
|
---
|
|
lib/Authen/SASL/Perl/DIGEST_MD5.pm | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/Authen/SASL/Perl/DIGEST_MD5.pm b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
|
index 44d2109..8c4a67a 100644
|
|
--- a/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
|
+++ b/lib/Authen/SASL/Perl/DIGEST_MD5.pm
|
|
@@ -202,7 +202,7 @@ sub server_start {
|
|
|
|
$self->{need_step} = 1;
|
|
$self->{error} = undef;
|
|
- $self->{nonce} = $NONCE? md5_hex($NONCE) : unpack('H32',urandom(16));
|
|
+ $self->{nonce} = $NONCE ? md5_hex($NONCE) : unpack('H32',urandom(16));
|
|
|
|
$self->init_sec_layer;
|
|
|
|
@@ -261,7 +261,7 @@ sub client_step { # $self, $server_sasl_credentials
|
|
|
|
my %response = (
|
|
nonce => $sparams{'nonce'},
|
|
- cnonce => $CNONCE? md5_hex($CNONCE) : unpack('H32',urandom(16)),
|
|
+ cnonce => $CNONCE ? md5_hex($CNONCE) : unpack('H32',urandom(16)),
|
|
'digest-uri' => $self->service . '/' . $self->host,
|
|
# calc how often the server nonce has been seen; server expects "00000001"
|
|
nc => sprintf("%08d", ++$self->{nonce_counts}{$sparams{'nonce'}}),
|
|
|
|
|