2359259 – (CVE-2025-2814) CVE-2025-2814 Crypt-CBC: Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions

Bug 2359259 (CVE-2025-2814) - CVE-2025-2814 Crypt-CBC: Crypt::CBC versions between 1.21 and 3.04 for Perl may use insecure rand() function for cryptographic functions

Summary: CVE-2025-2814 Crypt-CBC: Crypt::CBC versions between 1.21 and 3.04 for Perl m...

Keywords:
Status:	NEW
Alias:	CVE-2025-2814
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2359382 2359383 2359384 2359385
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-13 00:01 UTC by OSIDB Bzimport
Modified:	2025-04-17 11:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-13 00:01:03 UTC

Crypt::CBC versions between 1.21 and 3.04 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case, Crypt::CBC will fallback to use the insecure rand() function.

Comment 1 Paul Howarth 2025-04-17 11:00:55 UTC

Raised upstream: https://github.com/lstein/Lib-Crypt-CBC/issues/9

Is this ever likely to be an issue on Linux, where /dev/urandom should always be available? In containers perhaps?

Note You need to log in before you can comment on or make changes to this bug.