Red Hat Bugzilla – Bug 743567
CVE-2011-3599 perl-Crypt-DSA: Cryptographically insecure method used for random numbers generation on systems without /dev/random
Last modified: 2013-09-19 15:41:45 EDT
It has been reported that Crypt::DSA, a Perl module for DSA signatures and key generation, used cryptographically weak / insecure method for random numbers generation on systems, where /dev/random file was not present. Due this flaw an attacker could be able to discover some portions of / whole secret DSA key, which has been created on such system.
Proposed upstream patch is to remove the affected fallback code part:
(though not approved yet)
This issue affects the versions of the perl-Crypt-DSA package, as shipped with Fedora release of 14, 15, and as shipped within EPEL-4, EPEL-5 and EPEL-6 repositories.
Under 'affects' I mean that the relevant code part / fallback is present in the code.
Though obviously on Fedora and EPEL systems, the safer /dev/random code branch would be used for DSA key generation. Thus this deficiency would not show and I will leave the decision to the perl-Crypt-DSA module developers, if it's worthy to schedule new Fedora / EPEL updates or not.
Given that no Fedora/EPEL system is actually going to be impacted by this, I'm inclined to wait until there's a new upstream release before "fixing" it.
The CVE identifier of CVE-2011-3599 has been assigned to this issue:
Does SELinux policy deny access to /dev/random in some cases? If yes, then such process would be affected.
I can imagine an administrator will confine a third-party application by assigning a dedicated label to increase security. Because default policy is to deny, the DSA generation will get doomed.
You're right. I'll look at doing an update later today.
perl-Crypt-DSA-1.17-10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
perl-Crypt-DSA-1.17-10.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
perl-Crypt-DSA-0.14-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
perl-Crypt-DSA-1.17-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This is now fixed in all current Fedora and EPEL releases.